Win32/Nebuler [Threat Name] go to Threat

Win32/Nebuler.E [Threat Variant Name]

Category trojan
Size 76586 B
Detection created Apr 12, 2010
Detection database version 5022
Aliases Downloader.Win32.ImgDrop.vy (Kaspersky)
  Trojan.Nebuler (Symantec) (McAfee)
Short description

Win32/Nebuler.E is a trojan which tries to download other malware from the Internet. It can send various information about the infected computer to an attacker.


When executed, the trojan creates the following files:

  • %system%\­win%variable1%32.dll (39424 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­win%variable1%32]
    • "Asynchronous" = 1
    • "DllName" = "win%variable1%32.dll"
    • "Impersonate" = 0
    • "Startup" = "jWGHtgjfKogd"
    • "Shutdown" = "scnJSbVBK"

A string with variable content is used instead of %variable1% .

Other information

The trojan keeps various information in the following Registry key:


The trojan contains a list of (2) URLs. It tries to download a file from the addresses. The HTTP protocol is used.

The file is stored in the following location:

  • %temp%\­win%variable2%.tmp

A string with variable content is used instead of %variable2% .

The file is then executed.

The following information is collected:

  • list of disk devices and their type
  • information about the operating system and system settings

The trojan can send the information to a remote machine.

The trojan connects to the following addresses:


The trojan may create the following files:

  • %temp%\­ylD%variable3%.tmp
  • %temp%\­ylD%variable3%.bat

A string with variable content is used instead of %variable3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.