Win32/Agent.NLQ [Threat Name] go to Threat

Win32/Agent.NLQ [Threat Variant Name]

Category trojan,worm
Size 49152 B
Detection created Aug 23, 2007
Detection database version 2480
Aliases Backdoor.Win32.Poison.cpb (Kaspersky)
  Backdoor.Trojan (Symantec)
  BackDoor-DKI.gen.d.trojan (McAfee)
Short description

Win32/Agent.NLQ is a trojan that installs Win32/Poison.NAE malware.

Installation

When executed, the trojan copies itself into the following location:

  • %windir%\­svchost.exe (49152 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "explorer.exe" = "%windir%\­svchost.exe"

The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Active Setup\­Installed Components\­{FFE86B96-EBBB-D51C-84DA-8E09B35682EB}]
    • "StubPath" = "%windir%\­svchost.exe"

The trojan creates and runs a new thread with its own program code within the following processes:

  • explorer.exe (Win32/Poison.NAE)
Other information

The Win32/Poison.NAE serves as a backdoor. It can be controlled remotely.


The is able to update itself or execute an arbitrary file.


The backdoor connects to the following addresses:

  • iv3fjf.ath.cx (TCP port 3600)

Please enable Javascript to ensure correct displaying of this content and refresh this page.