VBS/Agent.NUG [Threat Name] go to Threat

VBS/Agent.NUG [Threat Variant Name]

Category trojan
Aliases Trojan.Agent.DXSY (BitDefender)
  Trojan.Script.Miner.c (Kaspersky)
Short description

VBS/Agent.NUG serves as a backdoor. It can be controlled remotely.

The trojan can use the hardware resources of the infected computer for mining the Bitcoin digital currency.


The trojan may create the following files:

  • C:\­%random%___\­%random%.exe
  • C:\­%random%___\­test.au3
  • C:\­%random%___\­shell.txt
  • C:\­%random%___\­pe.bin
  • %appdata%\­%random%\­lf.txt
  • %appdata%\­%random%\­xmr10.bin
  • %appdata%\­%random%\­%random%.log
  • C:\­ProgramData\­%random%\­PE.bin
  • C:\­ProgramData\­%random%\­shell.txt
  • C:\­ProgramData\­%random%\­%random%.exe
  • C:\­ProgramData\­%random%\­%random%.au3p

%random% represents a random text.

In order to be executed on every system start, the trojan modifies the following Registry key:

  • HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run
  • HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­RunOnce
  • "%random%" = "C:\­ProgramData\­%random%\­%random%.exe C:\­ProgramData\­%random%\­%random%.au3"
Information stealing

VBS/Agent.NUG is a trojan that steals passwords and other sensitive information.

The following information is collected:

  • ProductID
  • CPU information
  • computer name
  • user name
  • volume serial number
  • locale
  • amount of operating memory
  • installed antivirus software
  • list of running processes
  • logged keystrokes
  • web browser history
  • login passwords for certain applications/services

The trojan attempts to send the archive to a remote machine.

Payload information

It may perform the following actions:

  • download files from a remote computer and/or the Internet
  • terminating processes
  • execute shell commands
  • run executable files
  • turn the display off
  • shut down/restart the computer
  • delete cookies
  • disable System Restore
  • perform Bitcoin mining

The trojan can terminate the following processes:

  • vbc.exe
  • notepad.exe
  • werfault.exe
  • systeminfo.exe
Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of 11 URLs. The HTTP protocol is used in the communication.

Please enable Javascript to ensure correct displaying of this content and refresh this page.