Win32/Nebuler [Threat Name] go to Threat

Win32/Nebuler.E [Threat Variant Name]

Category trojan
Size 76586 B
Detection created Apr 12, 2010
Detection database version 5022
Aliases Downloader.Win32.ImgDrop.vy (Kaspersky)
  Trojan.Nebuler (Symantec)
  Generic.Dropper.sd.trojan (McAfee)
Short description

Win32/Nebuler.E is a trojan which tries to download other malware from the Internet. It can send various information about the infected computer to an attacker.

Installation

When executed, the trojan creates the following files:

  • %system%\­win%variable1%32.dll (39424 B)

In order to be executed on every system start, the trojan sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon\­Notify\­win%variable1%32]
    • "Asynchronous" = 1
    • "DllName" = "win%variable1%32.dll"
    • "Impersonate" = 0
    • "Startup" = "jWGHtgjfKogd"
    • "Shutdown" = "scnJSbVBK"

A string with variable content is used instead of %variable1% .

Other information

The trojan keeps various information in the following Registry key:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­MSSMGR]

The trojan contains a list of (2) URLs. It tries to download a file from the addresses. The HTTP protocol is used.


The file is stored in the following location:

  • %temp%\­win%variable2%.tmp

A string with variable content is used instead of %variable2% .


The file is then executed.


The following information is collected:

  • list of disk devices and their type
  • information about the operating system and system settings

The trojan can send the information to a remote machine.


The trojan connects to the following addresses:

  • http://oberaufseher.net/img/cmd.php
  • http://savesoft.net/img/cmd.php

The trojan may create the following files:

  • %temp%\­ylD%variable3%.tmp
  • %temp%\­ylD%variable3%.bat

A string with variable content is used instead of %variable3% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.