Win32/TrojanDownloader.Autoit.NUV [Threat Name] go to Threat

Win32/TrojanDownloader.Autoit.NUV [Threat Variant Name]

Category trojan
Size 940032 B
Detection created Oct 07, 2014
Detection database version 10524
Aliases TrojanDownloader:AutoIt/Browzip.A (Microsoft)
Short description

Win32/TrojanDownloader.Autoit.NUV is a trojan which tries to download other malware from the Internet.

Installation

The trojan does not create any copies of itself.


The trojan creates the following folders:

  • %appdata%\­Mozila\­

The following file is dropped into the %appdata%\Mozila\ folder:

  • ver.dat
Other information

The following programs are terminated:

  • chrome.exe
  • firefox.exe
  • browser.exe
  • opera.exe
  • scvhost.exe

The trojan contains a URL address.


It tries to download several files from the address. The HTTP protocol is used.


The files are stored in the following locations:

  • %appdata%\­Mozila\­update.zip (Win32/TrojanDownloader.Autoit.NVB)
  • %appdata%\­Mozila\­background.js (JS/ExtenBro.FBook.DD)
  • %appdata%\­Mozila\­SyncData.sqlite3
  • %appdata%\­Mozila\­SyncData.sqlite3-journal
  • %appdata%\­Mozila\­ff.zip (JS/ExtenBro.FBook.CU)
  • %appdata%\­Mozila\­btc.exe (Win32/CoinMiner.VI)

The trojan extracts update.zip archive content into the following folder:

  • %appdata%\­Mozila\­

The archive contains the following files:

  • scvhost.exe (Win32/TrojanDownloader.Autoit.NVB)

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Samsung Appstore" = ""%appdata%\­Mozila\­scvhost.exe" "%textstring%""

The trojan executes the following files:

  • %appdata%\­Mozila\­scvhost.exe
  • %appdata%\­Mozila\­btc.exe

The trojan installs browser extensions for the following browsers:

  • Mozilla Firefox
  • Google Chrome
  • Yandex browser
  • Opera

Please enable Javascript to ensure correct displaying of this content and refresh this page.