Win32/Autoit.NHY [Threat Name] go to Threat

Win32/Autoit.NHY [Threat Variant Name]

Category trojan
Size 323057 B
Detection created Feb 11, 2011
Detection database version 5865
Aliases Trojan.Win32.Autoit.aki (Kaspersky)
  Trojan.Encoder.99 (Dr.Web)
Short description

Win32/Autoit.NHY is a trojan that encrypts files on local drives. To decrypt files the user is requested to comply with given conditions in exchange for a password/instructions.

Installation

The trojan does not create any copies of itself.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Session" = "%malwarepath%"

The trojan creates the following files:

  • %appdata%\­11
  • %appdata%\­crypted
  • %appdata%\­lstt
  • %appdata%\­online
  • %appdata%\­pass
  • %appdata%\­code
  • %appdata%\­UAC
Payload information

Win32/Autoit.NHY is a trojan that encrypts files on local drives.


The trojan searches local drives for files with the following file extensions:

  • *.3DS
  • *.3GP
  • *.7z
  • *.abr
  • *.ACCDB
  • *.ACCDA
  • *.ace
  • *.acf
  • *.act
  • *.ahk
  • *.ai
  • *.aif
  • *.aiff
  • *.ams
  • *.app
  • *.ase
  • *.asf
  • *.atn
  • *.aux
  • *.b
  • *.bak
  • *.bas
  • *.bcp
  • *.bdf
  • *.blend
  • *.c
  • *.c++
  • *.cad
  • *.cas
  • *.cc
  • *.cda
  • *.cbl
  • *.cef
  • *.cfa
  • *.cfc
  • *.cfm
  • *.chr
  • *.cmv
  • *.cob
  • *.cpp
  • *.cs
  • *.csm
  • *.csv
  • *.cvs
  • *.db
  • *.dbf
  • *.dbx
  • *.dcc
  • *.dcl
  • *.dbx
  • *.dcu
  • *.dev
  • *.dfm
  • *.dof
  • *.dsc
  • *.djvu
  • *.exp
  • *.f4a
  • *.f4v
  • *.flv
  • *.bmp
  • *.frx
  • *.gml
  • *.h
  • *.h++
  • *.hbk
  • *.hdr
  • *.hex
  • *.hlp
  • *.hpp
  • *.idw
  • *.iwd
  • *.java
  • *.jpg
  • *.jpeg
  • *.k3d
  • *.lin
  • *.lib
  • *.lng
  • *.lsp
  • *.lua
  • *.lwo
  • *.lxo
  • *.lzw
  • *.m
  • *.m3u
  • *.mak
  • *.map
  • *.mat
  • *.mcd
  • *.mdl
  • *.md2
  • *.md3
  • *.mda
  • *.mdb
  • *.mk
  • *.mli
  • *.mmf
  • *.mny
  • *.mov
  • *.mp2
  • *.mp3
  • *.mp4
  • *.mpa
  • *.mpeg
  • *.mpg
  • *.mpp
  • *.mpx
  • *.msc
  • *.mrc
  • *.mtl
  • *.mxp
  • *.nfo
  • *.obj
  • *.odb
  • *.odg
  • *.odf
  • *.odm
  • *.ods
  • *.odt
  • *.odp
  • *.ofn
  • *.opt
  • *.otg
  • *.oxt
  • *.package
  • *.pak
  • *.pat
  • *.pcb
  • *.pcm
  • *.pcx
  • *.pdd
  • *.pdf
  • *.pdw
  • *.php
  • *.pic
  • *.pk2
  • *.pk3
  • *.pk4
  • *.pkg
  • *.plb
  • *.png
  • *.pov
  • *.pot
  • *.ppj
  • *.prj
  • *.prx
  • *.psd
  • *.psq
  • *.pst
  • *.pxp
  • *.rar
  • *.raw
  • *.rb
  • *.rc
  • *.reg
  • *.res
  • *.rl4
  • *.rl8
  • *.rm
  • *.rmvb
  • *.sdr
  • *.shp
  • *.SLDASM
  • *.SLDDRW
  • *.slk
  • *.stf
  • *.svg
  • *.swf
  • *.sym
  • *.tar
  • *.taz
  • *.tif
  • *.tiff
  • *.tlb
  • *.tpl
  • *.txt
  • *.au3
  • *.VBPROJ
  • *.vb
  • *.vcd
  • *.eg
  • *.vob
  • *.w3p
  • *.w3a
  • *.w3m
  • *.w3p
  • *.w3v
  • *.wav
  • *.wdb
  • *.wmp
  • *.wpj
  • *.x
  • *.xcf
  • *.xlc
  • *.xls
  • *.xlw
  • *.3g2
  • *.264
  • *.3gp2
  • *.aaf
  • *.asf
  • *.aepx
  • *.asx
  • *.avi
  • *.bdm
  • *.bik
  • *.camrec
  • *.divx
  • *.dvx
  • *.mkv
  • *.f4v
  • *.m4v
  • *.m4u
  • *.ogm
  • *.wmv
  • *.xvid
  • *.div
  • *.doc
  • *.docx
  • *.ogv
  • *.zip
  • *.gzip
  • *.cdr
  • *.dwg
  • *.max
  • *.gif
  • *.xlsx
  • *.ppt
  • *.pptx
  • *.htm
  • *.html
  • *.1cd
  • *.md
  • *.mdf
  • *.ifo
  • *.torrent
  • *.flac
  • *.ape
  • *.wma
  • *.ac3
  • *.rtf
  • *.wps
  • *.wpd
  • *.key
  • *.pps
  • *.aac
  • *.drw
  • *.eps
  • *.indd
  • *.wks
  • *.sql
  • *.pln
  • *.iso
  • *.class
  • *.msi
  • *.asp
  • *.docm
  • *.fla
  • *.pas
  • *.tga
  • *.xlsm
  • *.cert
  • *.p12
  • *.db8
  • *.m4a
  • *.ai
  • *.pub
  • *.cdl
  • *.pem
  • *.cer
  • *.crt
  • *.der
  • *.p12
  • *.pfx

When the trojan finds a file matching the search criteria, it creates its duplicate.


The file name and extension of the newly created file is derived from the original one.


An additional ".EnCrYpTeD" extension is appended.


The trojan encrypts the file content.


The trojan then deletes found files.

Other information

The trojan displays the following dialog box:

The following programs are terminated:

  • taskmgr.exe
  • procexp.exe
  • mmc.exe
  • regedit.exe
  • msconfig.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.