Win32/Agent.NJI [Threat Name] go to Threat

Win32/Agent.NJI [Threat Variant Name]

Category worm
Size 64000 B
Detection created Jun 13, 2007
Detection database version 2328
Aliases W32.Spybot.Worm (Symantec)
  HEUR:Trojan.Win32.Invader (Kaspersky)
Short description

Win32/Agent.NJI is a worm that spreads via removable media. The worm serves as a backdoor. It can be controlled remotely.

Installation

When executed, the worm copies itself into the following location:

  • %appdata%\­%random1%.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%.exe" = "%appdata%\­%random1%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%random1%.exe" = "%appdata%\­%random1%.exe"

The worm creates and runs a new thread with its own program code in all running processes except the following:

  • dwm.exe
  • csrss.exe
Spreading on removable media

The worm moves the content of the following folders (source, destination):

  • %removabledrive%\­*, %removabledrive%\­{sfka9sifwqefklf}

The worm copies itself to the following location:

  • %removabledrive%\­sfka9sifwqefklf.exe

The worm creates the following files:

  • %removabledrive%\­%existingfolderorfile%.lnk

The file is a shortcut to a malicious file.


It contains the following text:

  • %system%\­cmd.exe /k sfka9sifwqefklf.exe %systemdrive%\­{sfka9sifwqefklf}\­%originalfileorfolder%
Information stealing

The worm collects information related to the following applications:

  • wlcomm.exe
  • pidgin.exe
  • msmgs.exe
  • msnmsgr.exe

The worm collects various information related to the operating system.


The worm attempts to send gathered information to a remote machine.

Other information

The worm serves as a backdoor. It can be controlled remotely.


The worm acquires data and commands from a remote computer or the Internet.


The worm contains a list of addresses. The HTTP, IRC protocol is used.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • remove itself from the infected computer
  • update itself to a newer version
  • perform DoS/DDoS attacks
  • open a specific URL address

The worm keeps various information in the following Registry key:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "sfka9sifwqefklf"

The worm hooks the following Windows APIs:

  • DeleteFileA (kernel32.dll)
  • DeleteFileW (kernel32.dll)
  • CreateRemoteThread (kernel32.dll)
  • NtOpenProcess (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtCreateFile (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)
  • send (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.