Win32/Autoit.NHR [Threat Name] go to Threat

Win32/Autoit.NHR [Threat Variant Name]

Category trojan
Size 1047140 B
Detection created Dec 13, 2010
Detection database version 5699
Aliases Trojan.Win32.Autoit.ajy (Kaspersky)
  Generic.BackDoor.s (McAfee)
  WS.Reputation.1 (Symantec)
Short description

Win32/Autoit.NHR is a trojan that encrypts files on local drives.

Installation

When executed, the trojan creates the following files:

  • C:\­Control.ini
  • C:\­P.exe
  • C:\­Crypt.exe
  • C:\­F.exe
Spreading

The trojan tries to copy itself into shared folders of machines on a local network.


The trojan copies itself to the following location:

  • \­\­%remotecomputer%\­C$\­Program Files\­Manufacturer\­Endpoint Agent\­HWP.exe

In order to be executed on every system start, the trojan sets the following Registry entries on the remote computer:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "HWP" = "C:\­Program Files\­Manufacturer\­Endpoint Agent\­HWP.exe"
Payload information

Win32/Autoit.NHR is a trojan that encrypts files on local drives.


If the current system date and time matches certain conditions, the trojan encrypts the contents of certain files.


The trojan searches for files with the following file extensions:

  • *.dll

Only following folders are searched:

  • %system%

The trojan may cause the operating system to crash.

Other information

The trojan may create the following files:

  • %temp%\­~ip.tmp
  • %appdata%\­FixMe.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.