Home / malware TrojanDownloader:Win32/Nimkey.A
First posted on 08 October 2010.
Source: SecurityHomeAliases :
TrojanDownloader:Win32/Nimkey.A is also known as W32/Delfloader.B.gen!Eldorado (Authentium (C, Trojan-Downloader.Win32.Agent.ehcj (Kaspersky), Suspicious_Gen.KSCH (Norman), Trojan.DL.Agent.YKPA (VirusBuster), PSW.Generic8.KYM (AVG), Trojan.Heur.PT.fKW@bW@ZL1f (BitDefender), Trojan.DownLoad2.15075 (Dr.Web), Win32/Spy.Delf.OJO (ESET), Downloader.x!ebu (McAfee), Trojan.Win32.Generic.52283F03 (Rising AV), Infostealer.Nimkey (Symantec), TROJ_DLOAD.TZ (Trend Micro).
Explanation :
TrojanDownloader:Win32/Nimkey.A is a detection for a trojan that downloads and installs other files. To hide this activity, it opens a non-malicious PDF file from a legitimate website.
Top
TrojanDownloader:Win32/Nimkey.A is a detection for a trojan that downloads and installs other files. To hide this activity, it opens a non-malicious PDF file from a legitimate website. Installation When run, TrojanDownloader:Win32/Nimkey.A opens the following non-malicious PDF file to hide its malicious activity:http://www.irs.gov/pub/irs-pdf/f941.pdf Payload Downloads and executes other files When run, TrojanDownloader:Win32/Nimkey.A downloads the following files from a remote web server:1.jpg 2.jpg ChilkatCert_NT4.dll extract_cert.exe It executes its downloaded file "ChilkatCert_NT4.dll" as a DLL file or ActiveX control. It also runs and installs its downloaded file "extract_cert.exe" as a service with either of the following names:WSALG2 or Application Layer Gateway Service2 In the wild, TrojanDownloader:Win32/Nimkey.A has been observed to download from the following web servers:116.255.149.86 77.78.240.87 91.216.122.60 gimnazjum2orneta.pl psbprzedborz.pl
Analysis by Jireh SanicoLast update 08 October 2010
