Win32/Rootkit.Agent.NUK [Threat Name] go to Threat

Win32/Rootkit.Agent.NUK [Threat Variant Name]

Category trojan
Size 192700 B
Detection created Mar 14, 2011
Detection database version 5951
Aliases Trojan-Downloader.Win32.Genome.cfne (Kaspersky)
  Trojan:Win32/Comisproc (Microsoft)
  Infostealer.Gampass (Symantec)
Short description

Win32/Rootkit.Agent.NUK is a trojan which tries to download other malware from the Internet. It uses techniques common for rootkits.


When executed, the trojan creates the following files:

  • %temp%\­Ks%variable%.tmp (178176 B)

A string with variable content is used instead of %variable% .

The file is then executed.

Win32/Rootkit.Agent.NUK replaces the original MBR (Master Boot Record) of the hard disk drive with its own program code.

The trojan modifies the following file:

  • %system%\­drivers\­fips.sys
Other information

The trojan contains a list of (24) URLs.

It tries to download several files from the addresses.

These are stored in the following locations:

  • %temp%\­%variable%.tmp

A string with variable content is used instead of %variable% .

The files are then executed.

The trojan can create and run a new thread with its own program code within the following processes:

  • explorer.exe

The trojan collects the following information:

  • network adapter information
  • computer IP address
  • operating system version

The trojan attempts to send gathered information to a remote machine.

The trojan disables various security related applications.

The trojan creates the following files:

  • %system%\­del.bat
  • %temp%\­%variable%.bat

Please enable Javascript to ensure correct displaying of this content and refresh this page.