Win32/PSW.Agent.NDP [Threat Name] go to Threat

Win32/PSW.Agent.NDP [Threat Variant Name]

Category trojan
Size 77255 B
Detection created Mar 30, 2007
Detection database version 2155
Aliases PWS-LegMir (McAfee)
  Infostealer.Gampass (Symantec)
  W32/OnlineGames.gen31 (F-Secure)
Short description

Win32/PSW.Agent.NDP is a trojan that steals sensitive information. The trojan can send the information to a remote machine.

Installation

When executed, the trojan copies itself into the folder:

  • %system%

with the following file names:

  • ntdelect.com
  • kavo.exe

The following files are dropped in the same folder:

  • kavo0.dll (37376 B)
  • autorun.inf (260 B)

The following file is dropped into the %temp% folder:

  • t2e.dll (31827 B)

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "kava" = "%system%\­kavo.exe"

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "Hidden" = 2
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Explorer\­Advanced]
    • "ShowSuperHidden" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­Explorer]
    • "NoDriveTypeAutoRun" = 145
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­explorer\­Advanced\­Folder\­Hidden\­SHOWALL]
    • "CheckedValue" = 0
Spreading

The trojan copies itself into the root folders of fixed and/or removable drives using the following name:

  • ntdelect.com

The following file is dropped in the same folder:

  • autorun.inf

Thus, the trojan ensures it is started each time infected media is inserted into the computer.

Information stealing

The trojan collects various information related to online computer games.


The trojan loads and injects the "kavo0.dll" library into the following processes:

  • explorer.exe
  • iexplore.exe
  • dekaron.exe
  • maplestory.exe
  • hyo.exe
  • fairyclient.exe
  • ybclient.exe
  • wsm.exe
  • so3d.exe

The trojan is able to log keystrokes.


The trojan can send the information to a remote machine.


The HTTP protocol is used.

Other information

The following programs are terminated:

  • filmsg.exe
  • twister.exe
  • ravmon.exe
  • ravmond.exe
  • iparmor.exe
  • adam.exe
  • eghost.exe
  • mailmon.exe
  • kavpfw.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.