Win32/PSW.Agent.NTM [Threat Name] go to Threat

Win32/PSW.Agent.NTM [Threat Variant Name]

Category trojan
Size 95744 B
Detection created Oct 25, 2011
Detection database version 6573
Aliases Trojan.Win32.Jorik.Downloader.va (Kaspersky)
  W32/Spybot.bfr!d.virus (McAfee)
  PWS:Win32/Fareit.gen!C (Microsoft)
Short description

Win32/PSW.Agent.NTM is a trojan that steals passwords and other sensitive information. The trojan attempts to send gathered information to a remote machine. The trojan tries to download and execute several files from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan creates the following file:

  • %temp%\­ytk.bat

The file is then executed.


The trojan may create the following files in the %temp% folder:

  • HWID
  • Client Hash

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­WinRAR]
    • "HWID" = "%uniquebinarydata%"
    • "%variablemd5hash%" = "true"
Information stealing

Win32/PSW.Agent.NTM is a trojan that steals passwords and other sensitive information.


The trojan collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services
  • FTP account information
  • information about the infected computer

The following programs are affected:

  • 3D-FTP
  • 32bit FTP
  • ALFTP
  • BitKinex
  • BlazeFtp
  • Bromium
  • Bullet Proof FTP
  • ClassicFTP
  • CoffeeCup Software
  • Comodo
  • COREFTP
  • CuteFTP
  • Cyberduck
  • DeluxeFTP
  • Directory Opus
  • EasyFTP
  • Epic
  • ExpanDrive
  • Far
  • Far2
  • FFFTP
  • FileZilla
  • FlashFXP
  • Fling
  • Flock
  • FreshFTP
  • Frigate3
  • FTP Commander
  • FTP CONTROL
  • FTP Explorer
  • FTP Navigator
  • FTP++
  • FTPClient
  • FTPGetter
  • FTPNow
  • FTPRush
  • FTPVoyager
  • Global Downloader
  • GoFTP
  • Google Chrome
  • ChromePlus
  • Chromium
  • K-Meleon
  • LeapFTP
  • LeechFTP
  • LinasFTP
  • Microsoft Internet Explorer
  • Mozilla Firefox
  • Mozilla SeaMonkey
  • NetDrive
  • Nichrome
  • Odin
  • Opera Software
  • PuTTY
  • Robo-FTP 3.7
  • RockMelt
  • SecureFX
  • SmartFTP
  • Staff-FTP
  • Total Commander
  • TurboFTP
  • UltraFXP
  • Visicom Media ftp client
  • WebDrive
  • WebSitePublisher
  • Windows Commander
  • WinFTP
  • WinSCP
  • Wise-FTP
  • WS_FTP

The trojan attempts to send gathered information to a remote machine.

Other information

The trojan contains a list of (12) URLs.


It tries to download several files from the addresses.


These are stored in the following locations:

  • %temp%\­%variable%.exe

The files are then executed. The HTTP protocol is used.


A string with variable content is used instead of %variable% .


The trojan removes itself from the computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.