Home / malwarePDF  

TrojanSpy:Win32/Nivdort.AB


First posted on 12 February 2015.
Source: Microsoft

Aliases :

There are no other names known for TrojanSpy:Win32/Nivdort.AB.

Explanation :

Threat behavior

Installation
This threat can create files on your PC. It uses a random file name and random file name, such as:

  • %APPDATA%\iojaoicavjt\ihsxlal.exe
  • %APPDATA%\iojaoicavjt\wffwvmduztd.exe


It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "Software Multimedia Grouping"
With data: "%APPDATA%\iojaoicavjt\wffwvmduztd.exe"



Payload


Collects your sensitive information

This threat can collect your sensitive information without your consent. This can include:

  • The keys you press
  • The applications you open
  • Your web browsing history
  • Your credit card information
  • Your user names and passwords


It could also imitate a legitimate website to lure you into revealing your sensitive information.



Connects to a remote host

We have seen this threat connect to a remote host, including:
  • mountainsurprise.net using port 80
  • possiblesurprise.net using port 80
  • motherdifferent.net using port 80
  • simpledifferent.net using port 80
  • severadifferent.net using port 80
  • mothersurprise.net using port 80
  • simplesurprise.net using port 80
  • laughdifferent.net using port 80
  • simpleletter.net using port 80
  • severabeside.net using port 80
Malware can connect to a remote host to do any of the following:
  • Check for an Internet connection
  • Download and run files (including updates or other malware)
  • Report a new infection to its author
  • Receive configuration or other data
  • Receive instructions from a malicious hacker
  • Search for your PC location
  • Upload information taken from your PC
  • Validate a digital certificate
This malware description was published using automated analysis of file SHA1 9b5b24fb1cd71417aa30ebeb3b3ba3cb436b014f.Symptoms

The following can indicate that you have this threat on your PC:

  • You see these files:
    • %APPDATA%\iojaoicavjt\ihsxlal.exe
    • %APPDATA%\iojaoicavjt\wffwvmduztd.exe
  • You see registry modifications such as:
    • In subkey: HKCU\software\microsoft\windows\currentversion\run
      Sets value: "Software Multimedia Grouping"
      With data: "%APPDATA%\iojaoicavjt\wffwvmduztd.exe"

Last update 12 February 2015

 

TOP