Win32/Diazom [Threat Name] go to Threat

Win32/Diazom.NAC [Threat Variant Name]

Category trojan
Size 132612 B
Detection created Jun 01, 2012
Detection database version 10465
Aliases Trojan-Ransom.Win32.Blocker.bbiv (Kaspersky)
  Trojan:Win32/Malagent (Microsoft)
  Trojan.ADH (Symantec)
  TR/Graftor.77805 (Avira)
Short description

The trojan serves as a backdoor. It can be controlled remotely.

Installation

When executed the trojan copies itself in the following locations:

  • %startup%\­%variable1%.exe
  • %localappdata%\­%variable2%.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable3%" = "%localappdata%\­%variable2%.exe"

A string with variable content is used instead of %variable1-3% .


The trojan creates and runs a new thread with its own program code within the following processes:

  • chrome.exe
  • explorer.exe
  • firefox.exe
  • iexplore.exe
  • jusched.exe
  • opera.exe
  • skype.exe

After the installation is complete, the trojan deletes the original executable file.

Information stealing

Win32/Diazom.NAC is a trojan that steals sensitive information.


The trojan collects the following information:

  • operating system version
  • computer IP address
  • login user names for certain applications/services
  • login passwords for certain applications/services
  • default Internet browser

The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (80) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • change the home page of web browser
  • send IM messages
  • create comments on social networks
  • "like" pages on social networks
  • post messages on social networks
  • open a specific URL address

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{E525B997-4A1A-425a-84B7-5D98AF7F902A}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{5BD81296-61C1-4c64-BB8A-8B815F37F5E8}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{C5840F71-67D1-4b13-AF88-513BC2C43FB9}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{07A2E0B2-E7FC-445c-A14F-8B6BE7654690}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{74A10EDE-B7AC-4F7A-8750-EC853167F9B8}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{3D2279FB-18E7-47E3-8F2C-1FD4CBD1D6BE}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{F56AEE3D-1AF5-49D5-9178-AE22F411720A}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{4220D7C3-AE02-448A-AF00-BD3C26152B92}]
  • [HKEY_CURRENT_USER\­Software\­AppDataLow\­%hwid%\­{DC0DE040-F93F-434a-B57F-0F3773AC28B4}]

The trojan hooks the following Windows APIs:

  • HttpSendRequestA (wininet.dll)
  • HttpSendRequestW (wininet.dll)
  • PR_Write (nspr4.dll)
  • send (ws2_32.dll)
  • WSASend (ws2_32.dll)

Please enable Javascript to ensure correct displaying of this content and refresh this page.