Win32/Spy.Agent.NSO [Threat Name] go to Threat

Win32/Spy.Agent.NSO [Threat Variant Name]

Category trojan
Size 142848 B
Detection created Jul 22, 2010
Detection database version 5302
Aliases Trojan-Downloader.Win32.Tiny.cmq (Kaspersky)
  Trojan:Win32/Chymine.A (Microsoft)
  Backdoor.Trojan (Symantec)
Short description

Win32/Spy.Agent.NSO is a trojan that steals sensitive information. The trojan can send the information to a remote machine. The trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:

  • %temp%\­..\­%variable1%.dll (126464 B)
  • %temp%\­%variable2%.tmp
  • %allusersprofile%\­rundll32
  • %system%\­%variable3%\­.dll

The trojan creates copies of the following files (source, destination):

  • %system%\­rundll32.exe, %temp%\­..\­%variable1%.exe

The trojan executes the following command:

  • %temp%\­..\­%variable1%.exe shell32.dll,Control_RunDLLA "%temp%\­..\­%variable1%.dll"

The following Registry entries are created:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip]
    • "Type" = 32
    • "Start" = 2
    • "ErrorControl" = 1
    • "ImagePath" = "%systemroot%\­system32\­svchost.exe -k netsvcs"
    • "DisplayName" = "Iprip"
    • "ObjectName" = "LocalSystem"
    • "Description" = "Iprip"
  • [HKEY_LOCAL_MACHINE\­SYSTEM\­CurrentControlSet\­Services\­Iprip\­Parameters]
    • "ServiceDll" = ".\­%variable3%\­"

This causes the trojan to be executed on every system start.


A string with variable content is used instead of %variable1-3% .

Information stealing

Win32/Spy.Agent.NSO is a trojan that steals sensitive information.


The trojan acquires data and commands from a remote computer or the Internet. The trojan contains an URL address. The HTTP protocol is used.


The following information is collected:

  • operating system version
  • CPU information
  • installed software
  • computer name
  • list of disk devices and their type

It may perform the following actions:

  • log keystrokes
  • capture webcam video/voice

The trojan can send the information to a remote machine.

Please enable Javascript to ensure correct displaying of this content and refresh this page.