Win32/Rootkit.Agent.NTS [Threat Name] go to Threat

Win32/Rootkit.Agent.NTS [Threat Variant Name]

Category trojan
Size 151552 B
Detection created Sep 30, 2010
Detection database version 5491
Aliases Packed.Win32.Krap.ai (Kaspersky)
  Trojan:WinNT/Tibs.gen!A (Microsoft)
  Generic.dx!sty (McAfee)
Short description

Win32/Rootkit.Agent.NTS is a trojan that steals passwords and other sensitive information. The trojan contains a backdoor. It can be controlled remotely. The trojan is probably a part of other malware.

Installation

The trojan does not create any copies of itself.


The trojan creates the following files:

  • %commonappdata%\­common.data

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­%variable%]
    • "Start" = 2
    • "Group" = "Boot Bus Extender"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Network\­%variable%]
    • "(Default)" = "Driver"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Control\­SafeBoot\­Minimal\­%variable%]
    • "(Default)" = "Driver"

A string with variable content is used instead of %variable% .

Other information

Win32/Rootkit.Agent.NTS is a trojan that steals passwords and other sensitive information.


The trojan acquires data and commands from a remote computer or the Internet.


The trojan contains a list of (2) URLs.


It may perform the following actions:

  • monitor network traffic
  • download files from a remote computer and/or the Internet
  • run executable files
  • update itself to a newer version
  • collect information about the operating system used
  • send gathered information

The trojan creates and runs a new thread with its own program code within the following processes:

  • csrss.exe
  • services.exe
  • svchost.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.