VBS/Agent.NUG [Threat Name] go to Threat
VBS/Agent.NUG [Threat Variant Name]
Category | trojan |
Aliases | Trojan.Agent.DXSY (BitDefender) |
Trojan.Script.Miner.c (Kaspersky) |
Short description
VBS/Agent.NUG serves as a backdoor. It can be controlled remotely.
The trojan can use the hardware resources of the infected computer for mining the Bitcoin digital currency.
Installation
The trojan may create the following files:
- C:\%random%___\%random%.exe
- C:\%random%___\test.au3
- C:\%random%___\shell.txt
- C:\%random%___\pe.bin
- %appdata%\%random%\lf.txt
- %appdata%\%random%\xmr10.bin
- %appdata%\%random%\%random%.log
- C:\ProgramData\%random%\PE.bin
- C:\ProgramData\%random%\shell.txt
- C:\ProgramData\%random%\%random%.exe
- C:\ProgramData\%random%\%random%.au3p
%random% represents a random text.
In order to be executed on every system start, the trojan modifies the following Registry key:
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
- "%random%" = "C:\ProgramData\%random%\%random%.exe C:\ProgramData\%random%\%random%.au3"
Information stealing
VBS/Agent.NUG is a trojan that steals passwords and other sensitive information.
The following information is collected:
- ProductID
- CPU information
- computer name
- user name
- volume serial number
- locale
- amount of operating memory
- installed antivirus software
- list of running processes
- logged keystrokes
- web browser history
- login passwords for certain applications/services
The trojan attempts to send the archive to a remote machine.
Payload information
It may perform the following actions:
- download files from a remote computer and/or the Internet
- terminating processes
- execute shell commands
- run executable files
- turn the display off
- shut down/restart the computer
- delete cookies
- disable System Restore
- perform Bitcoin mining
The trojan can terminate the following processes:
- vbc.exe
- notepad.exe
- werfault.exe
- systeminfo.exe
Other information
The trojan acquires data and commands from a remote computer or the Internet.
The trojan contains a list of 11 URLs. The HTTP protocol is used in the communication.