Win32/Spy.VB.NPD [Threat Name] go to Threat

Win32/Spy.VB.NPD [Threat Variant Name]

Category trojan
Size 409626 B
Detection created Jul 03, 2012
Detection database version 7266
Aliases Trojan-Spy.Win32.VB.fjj (Kaspersky)
  TrojanSpy:Win32/Pexnod.A (Microsoft)
  Trojan.Horse (Symantec)
Short description

Win32/Spy.VB.NPD is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine.

Installation

The trojan creates the following files:

  • %systemdrive%\­Documents and Settings\­All Users\­Common Files\­dmx.exe (188418 B, Win32/Spy.VB.NPD)
  • %startup%\­dmx.exe" (188418 B, Win32/Spy.VB.NPD)
  • %temp%\­Sample Image.jpg (84199 B)
  • %profile%\­AppData\­Sample Image.jpg (84199 B)

The files are then executed.


In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "dmx" = "%systemdrive%\­Documents and Settings\­All Users\­Common Files\­dmx.exe"
Information stealing

Win32/Spy.VB.NPD is a trojan that steals sensitive information.


The trojan is able to log keystrokes.


The following information is collected:

  • data from the clipboard

The collected information is stored in the following file:

  • %temp%\­Mail1.htm

The trojan attempts to send gathered information to a remote machine.


The trojan contains a list of (2) URLs. The HTTP protocol is used.

Other information

The trojan keeps various information in the following Registry keys:

  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Setings\­%malwarefolder%\­country\­country]
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Setings\­%malwarefolder%\­logs\­logs]
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Setings\­%malwarefolder%\­Settime\­Settime]
  • [HKEY_CURRENT_USER\­Software\­VB and VBA Program Setings\­%malwarefolder%\­Timer\­Timer]

Please enable Javascript to ensure correct displaying of this content and refresh this page.