Win32/Agent.NAN [Threat Name] go to Threat

Win32/Agent.NAN [Threat Variant Name]

Category trojan,virus
Size 15551 B
Detection created Mar 05, 2006
Detection database version 1937
Aliases Trojan.Win32.Agent.oh (Kaspersky)
  VirTool:Win32/Obfuscator.C (Microsoft)
  TR/Dropper.Gen (Avira)
Short description

The trojan serves as a proxy server.

Installation

When executed, the trojan creates the following files:

  • %commondocuments%\­Settings\­ur32krutik6666.dll
  • %commondocuments%\­Settings\­desktop.ini

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­ur32krutik6666reg]
    • "DllName" = "%commondocuments%\­Settings\­ur32krutik6666.dll"
    • "Startup" = "ur32krutik6666reg"
    • "Impersonate" = 1
    • "Asynchronous" = 1

The trojan executes the following files:

  • iexplore.exe

The trojan tries to load and inject the "ur32krutik6666.dll" library into the following processes:

  • winlogon.exe
  • iexplore.exe
Information stealing

The trojan collects the following information:

  • operating system version
  • malware version
  • opened TCP port number

The trojan attempts to send gathered information to a remote machine.


The trojan contains an URL address. The HTTP protocol is used.

Other information

It can execute the following operations:

  • open ports
  • set up a proxy server
  • update itself to a newer version

The following services are disabled:

  • SharedAccess
  • wscsvc (Windows Security Center)

The trojan may create the following files:

  • %commondocuments%\­Settings\­desktop.ini

Please enable Javascript to ensure correct displaying of this content and refresh this page.