Win32/Nidis [Threat Name] go to Threat

Win32/Nidis.U [Threat Variant Name]

Category trojan,virus
Size 91648 B
Detection created Jun 09, 2008
Detection database version 3169
Aliases Trojan-Proxy.Win32.Pixoliz.nk (Kaspersky)
  Downloader-BNN.trojan (McAfee)
  Spammer:Win32/Rlsloup.A (Microsoft)
  SpamBot.R.trojan (AVG)
Short description

Win32/Nidis.U is a trojan that is used for spam distribution. The file is run-time compressed using UPX .

Installation

When executed, the trojan creates the following files:

  • c:\­ntldr.sys (7168 B, Win32/Nidis.P)
  • c:\­cp%variable%.nls (91648 B, Win32/Nidis.U)

A string with variable content is used instead of %variable% .


Installs the following system drivers (path, name):

  • c:\­ntldr.sys, ntldr.sys

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­System\­CurrentControlSet\­Services\­ntldr.sys]
    • "Type" = 1
    • "ErrorControl" = 1
    • "Start" = 3
    • "DisplayName" = "ntldr.sys"
    • "ImagePath" = "\­??\­C:\­ntldr.sys"

The trojan modifies the following file:

  • %systemroot%\­system32\­drivers\­ndis.sys

The host file is modified in a way that causes the trojan to be executed prior to running the original code.


This causes the trojan to be executed on every system start.


The trojan loads and injects the "cp%variable%.nls" library into the following processes:

  • explorer.exe
Spam distribution

Win32/Nidis.U is a trojan that is used for spam distribution.


The message depends entirely on data the trojan downloads from the Internet. The SMTP protocol is used.

Other information

The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (8) URLs. The HTTP protocol is used in the communication.


It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • send spam

The trojan may delete the following files:

  • c:\­ntldr.sys
  • c:\­cp%variable%.nls

By adding an exception in Windows Firewall settings, the trojan ensures that it is not blocked.


The trojan executes the following command:

  • netsh firewall add allowedprogram "%systemroot%\­explorer.exe" "Explorer" enable

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Security\­CNo]
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Internet Explorer\­Security\­installation_id]

Please enable Javascript to ensure correct displaying of this content and refresh this page.