Win32/Agent.NAH [Threat Name] go to Threat

Win32/Agent.NAH [Threat Variant Name]

Category virus
Size 240 KB
Aliases W32/W.B (F-Secure)
  Generic.dx (McAfee)
Short description

Win32/Agent.NAH is a file infector.


When executed, the virus creates the following folder:

  • %system_drive%\­Documents and Settings\­All Users\­Application Data\­Microsoft\­MsDirect\­

The following files are dropped in the same folder:

  • msdirect.dll (77 824 B)
  • msdirect.exe (172 544 B)
  • mskernel.sys (6272 B)

The following file is dropped into the %windir% folder:

  • _setup.exe

The following files are dropped into the current folder:

  • flower.jpg (112624 B)

The virus opens the file using the default image viewer.

The virus registers itself as a system service using the following name:

  • COM+

The virus loads and injects the msdirect.dll library into the following processes:

  • %windir%\­explorer.exe
  • firefox.exe
  • iexplore.exe
  • myie.exe
  • netscape.exe
  • opera.exe
Executable file infection

The virus searches for executables with one of the following extensions:

  • .exe

Files are infected by adding a new section that contains the virus .

The host file is modified in a way that causes the virus to be executed prior to running the original code.

The size of the inserted code is 240 KB .

Information stealing

The virus is able to log keystrokes.

The data is saved in the following file:

  • msoffice.log

The virus can send the information to a remote machine. The SMTP protocol is used.

Other information

The virus creates the following files:

  • app log.log

Please enable Javascript to ensure correct displaying of this content and refresh this page.