Home / malware Trojan.Nitovel
First posted on 26 May 2015.
Source: SymantecAliases :
There are no other names known for Trojan.Nitovel.
Explanation :
Once executed, the Trojan copies itself to the following location using Alternate Data Streams (ADS):
%UserProfile%\Local Settings\Temp:defrag.scr
The Trojan then creates the following file using ADS:
%UserProfile%\Local Settings\Temp:defrag.vbs
The Trojan creates the following registry entry so that it runs every time Windows starts:
HKEY_LOCAL_MACHINELM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Defrag" = "wscript %UserProfile%\Local Settings\Temp:defrag.vbs"
Next, the Trojan scans the memory of processes running on the compromised computer for track one and track two payment card data.
The Trojan then sends the stolen data to the following remote locations:
[https://]systeminfou48.ru/derpos/gatew[REMOVED][https://]infofinaciale8h.ru/derpos/gatew[REMOVED][https://]helpdesk7r.ru/derpos/gatew[REMOVED]Last update 26 May 2015