Home / malware PWS:Win32/Nemim.A
First posted on 15 April 2013.
Source: MicrosoftAliases :
There are no other names known for PWS:Win32/Nemim.A.
Explanation :
PWS:Win32/Nemim.A is a trojan that is used to capture personal information, such as user names and passwords, and then send that information to a remote attacker.
Installation
The trojan may be downloaded by TrojanDownloader:Win32/Nemim.gen!A as one of the following file names, and commonly stored in the %APPDATA% directory:
- dmaUp1.exe
- dmaup2.exe
Payload
Steals information about your computer
PWS:Win32/Nemim.A has been observed stealing the following information about your computer:
- The version of Windows installed on your computer and service pack details
- Your computer's language settings
- Your computer's name
- The user name of the currently logged-in user
- The number of USB ports on your computer
It then attempts to steal credentials from the following email and instant messenger accounts by decrypting cached and/or saved passwords:
- These email accounts:
- SMTP
- POP3
- HTTP mail
- IMAP
- Gmail Notifier
- Google Desktop
- Google Talk
- Windows Messenger/Live Messenger
Contacts remote hosts
PWS:Win32/Nemim.A sends the stolen information, which it has encrypted and encoded, to the following URLs via HTTP POST:
- cranseme.ignorelist.com/html/docu.php
- fenraw.northgeremy.info/html/docu.php
- fenrix.yaahosting.info/html/docu.php
- fenrmi.eu.pn/html/docu.php
Analysis by Jonathan San Jose
Last update 15 April 2013
