Win32/Nebuler [Threat Name] go to Threat

Win32/Nebuler.B [Threat Variant Name]

Category trojan
Size 26112 B
Detection created Feb 25, 2010
Detection database version 4895
Aliases Trojan.Win32.Nebuler.B (Microsoft)
  Trojan.Nebuler (Symantec)
Short description

Win32/Nebuler.B is a trojan which tries to download other malware from the Internet. It can send various information about the infected computer to an attacker. The trojan is probably a part of other malware.

Installation

When executed, the trojan copies itself into the following location:

  • %system%\­win%variable%32.dll (26112 B)

In order to be executed on every system start, the sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­win%variable%32]
    • "Asynchronous" = 1
    • "DllName" = "win%variable%32.dll"
    • "Impersonate" = 0
    • "Startup" = "EvtStartup"
    • "Shutdown" = "EvtShutdown"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "win%variable%32" = "rundll32.exe %system%\­win%variable%32.dll, run"
    • "system" = "rundll32.exe %system%\­win%variable%32.dll, run"

A string with variable content is used instead of %variable% .


Other information

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­MSSMGR]

The trojan contains an URL address. It tries to download a file from the address. The HTTP protocol is used.


The file is stored in the following location:

  • %temp%\­win1.tmp

The file is then executed.


The trojan collects the following information:

  • Internet Explorer version
  • operating system version

The trojan can send the information to a remote machine.


The trojan connects to the following addresses:

  • http://searchmeup.biz/img/cmd.php
  • http://smart-security.biz/img/cmd.php
  • http://here4search.biz/img/cmd.php

Please enable Javascript to ensure correct displaying of this content and refresh this page.