Win32/Agent.NAH [Threat Name] go to Threat
Win32/Agent.NAH [Threat Variant Name]
| Category | virus |
| Size | 240 KB |
| Detection created | Sep 05, 2005 |
| Detection database version | 1875 |
| Aliases | W32/W.B (F-Secure) |
| Generic.dx (McAfee) |
Short description
Win32/Agent.NAH is a file infector.
Installation
When executed, the virus creates the following folder:
- %system_drive%\Documents and Settings\All Users\Application Data\Microsoft\MsDirect\
The following files are dropped in the same folder:
- msdirect.dll (77 824 B)
- msdirect.exe (172 544 B)
- mskernel.sys (6272 B)
The following file is dropped into the %windir% folder:
- _setup.exe
The following files are dropped into the current folder:
- flower.jpg (112624 B)
The virus opens the file using the default image viewer.
The virus registers itself as a system service using the following name:
- COM+
The virus loads and injects the msdirect.dll library into the following processes:
- %windir%\explorer.exe
- firefox.exe
- iexplore.exe
- myie.exe
- netscape.exe
- opera.exe
Executable file infection
The virus searches for executables with one of the following extensions:
- .exe
Files are infected by adding a new section that contains the virus .
The host file is modified in a way that causes the virus to be executed prior to running the original code.
The size of the inserted code is 240 KB .
Information stealing
The virus is able to log keystrokes.
The data is saved in the following file:
- msoffice.log
The virus can send the information to a remote machine. The SMTP protocol is used.
Other information
The virus creates the following files:
- app log.log