First posted on 01 March 2007.
Source: SecurityHome
Nilage.AUT is also known as Trojan-PSW.Win32.Nilage.aut, Trj/Lineage.BLQ, TSPY_NILAGE.AUT.
Nilage.AUT, a variant of Nilage, is a Trojan. Nilage.AUT drops and loads a password stealing component on an infected system and steals sensitive information from an infected computer. Nilage.AUT attempts to download and install other malware to the system.
Once Nilage.AUT has been executed it will drop the following file:
It will register its DLL component as a Browser Helper Object (BHO) so that every time Internet Explorer is loaded, Nilage.AUT is also loaded:
- HKLMSOFTWAREClassesCLSID{267709FD-A691-43B0-BF38-0DF6887A9B44}InProcServer32
@ = "%windir%winpsfisle.dll"
Everytime the DLL component is executed, it will drop and execute its .EXE component in the following path and filename:
Payload
The main payload of Nilage.AUT is to steal information regarding Online games such as Lineage and Maple Story. Both are popular in Korea.
Nilage.AUT includes keylogging functionality.
Nilage.AUT steals information with regards to the following details:
Class Names
- Internet Explorer_Server
- Lineage
- Lineage Windows Client
- MapleStory
- MapleStoryClass
Running Process Names
- Angel.dat
- Game.exe
- IEXPLORE.EXE
- Lineage
- Lineage.exe
- MapleStory.exe
- NineDragons.EXE
Visited URL:
- http://club.pchome.com.tw/
- http://tw.gamania.com
- http://tw.gamania.com/
- http://tw.gamania.com/GHOME/Home_Center.ASP
- http://tw.gamania.com/default.asp?user_locate=
- http://tw.gashcard.gamania.com
- http://tw.gashcard.gamania.com/
- http://tw.gashcard.gamania.com/index.asp
- http://tw.gashcard.gamania.com/space.htm
- http://tw.login.yahoo.com/cgi-bin/login.cgi?srv=club
- http://www.gamebase.com.tw/memberLogin.html
- https://tw.gash.gamania.com
- https://tw.gash.gamania.com/
- https://tw.gash.gamania.com/Blank.aspx
- https://tw.gash.gamania.com/GASHLogin.aspx
- https://tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?ServiceCode=600035
- https://tw.goodlock.gamania.com
- https://tw.goodlock.gamania.com/
- https://tw.goodlock.gamania.com/GamaGoodLock.aspx
- https://tw.goodlock.gamania.com/Index.aspx
- https://tw.goodlock.gamania.com/ShowNew.aspx
- https://tw.goodlock.gamania.com/index.aspx
- https://user.gamer.com.tw/login.php
The gathered information including username and passwords are stored in this hard coded path and filename:
Gathered information is sent to the hacker by posting the file to the following links:
- http://www.y8ne.com/mail/upfilets.asp
- http://www.y8ne.com/mail/upfile.asp
It also gathers data from these links for it malicious acts:
- http://www.xxxxx.com/xiaozi/sendmailqimo.asp?tomail=163@163.com&mailbody=
- http://www.y8ne.com/mail/1114.do?id=ad001&mailbody=
Asside from being a password stealer, Nilage.AUT is also a downloader. It downloads and executes other malware from the following link:
- http://www.hackrmb.com/6an[REMOVED].exe
And saves the download to the following path name filename:
- %windir%javaclassesspoolsys.exe
To ensure that an error will not occur, it will delete the existing file before downloading the new file.
Note: As of this writing the link above is no longer available.
Nilage.AUT does not fully support all operating system:
- Windows 2000 - Fully executes
- Windows 9x - Executes, but with some errors
- Windows XP - Does not execute properly
Nilage.AUT is coded using Borland Delphi.
Last update 01 March 2007
TOP