Home / malwarePDF  

TrojanSpy:Win32/Nivdort.AA


First posted on 12 February 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Nivdort.AA.

Explanation :

Threat behavior

Installation
This threat can create files on your PC. It uses a random file name and random file name, such as:

  • %TEMP%\lunn6kw3k65qkcm198fhb.exe
  • \gstsjrsmrznl.exe
  • \zujtgmipwebb.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "Upgrade Modules Discovery Shadow"
With data: "\gstsjrsmrznl.exe"



Payload


Collects your sensitive information

This threat can collect your sensitive information without your consent. This can include:

  • The keys you press
  • The applications you open
  • Your web browsing history
  • Your credit card information
  • Your user names and passwords


It could also imitate a legitimate website to lure you into revealing your sensitive information.

Modifies system settings
This threat can make changes to the way your PC behaves. It can:
  • Disable Firewall notifications from the Windows Security Center.


Connects to a remote host

We have seen this threat connect to a remote host, including:
  • wheelconsiderable.net using port 80
  • drivethirteen.net using port 80
  • wednesdayhalf.net using port 80
  • sensesound.net using port 80
  • enemyguess.net using port 80
  • queentell.net using port 80
  • muchhappy.net using port 80
  • soilunder.net using port 80
  • wheelbest.net using port 80
  • wheelthem.net using port 80
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate
This malware description was published using automated analysis of file SHA1 cb9e7349a2b0ee856ec76c5573aa29ebf413c700.Symptoms

The following can indicate that you have this threat on your PC:

  • You see these files:
    • %TEMP%\lunn6kw3k65qkcm198fhb.exe
    • \gstsjrsmrznl.exe
    • \zujtgmipwebb.exe
  • You see registry modifications such as:
    • In subkey: HKLM\software\microsoft\security center
      Sets value: "FirewallDisableNotify"
      With data: "1"

    • In subkey: HKLM\software\microsoft\windows\currentversion\run
      Sets value: "Upgrade Modules Discovery Shadow"
      With data: "\gstsjrsmrznl.exe"

Last update 12 February 2015

 

TOP