Win32/Agent.NPD [Threat Name] go to Threat

Win32/Agent.NPD [Threat Variant Name]

Category trojan,worm
Size 26027 B
Detection created Jan 25, 2008
Detection database version 2823
Aliases Trojan.Win32.Inject.jrs (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.Dropper.bm.trojan (McAfee)
Short description

Win32/Agent.NPD installs a backdoor that can be controlled remotely.

Installation

When executed, the trojan drops one of the following files in the %system% folder:

  • lamhost.dll (14336 B)
  • nvpc32.exe (6656 B)

The trojan registers itself as a system service using the following name:

  • nVidia Program Config

The trojan loads and injects the %system%\lamhost.dll library into the following processes:

  • iexplore.exe
  • explorer.exe
  • services.exe

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­NVPC]
    • "Type" = 16
    • "Start" = 2
    • "ErrorControl" = 0
    • "ImagePath" = "%system%\­nvpc32.exe"
    • "DisplayName" = "nVidia Program Config"
    • "ObjectName" = "LocalSystem"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­NVPC\­Enum]
    • "0" = "Root\­LEGACY_NVPC\­0000"
    • "Count" = 1
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NVPC]
    • "NextInstance" = 1
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NVPC\­0000\­Control]
    • "*NewlyCreated*" = 0
    • "ActiveService" = "NVPC"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Enum\­Root\­LEGACY_NVPC\­0000]
    • "Service" = "NVPC"
    • "Legacy" = 1
    • "ConfigFlags" = 0
    • "Class" = "LegacyDriver"
    • "ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
    • "DeviceDesc" = "nVidia Program Config"
Other information

The trojan serves as a backdoor. It can be controlled remotely.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs.


It can execute the following operations:

  • terminate running processes
  • run executable files
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • send the list of disk devices and their type to a remote computer
  • send the list of running processes to a remote computer

The trojan creates the following files:

  • file.tmp

The trojan may create copies of itself using the following filenames:

  • %temp%\­Del%variable%.tmp (26027 B)

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.