Win32/Autoit.NXW [Threat Name] go to Threat

Win32/Autoit.NXW [Threat Variant Name]

Category trojan
Size 256887 B
Detection created Dec 01, 2015
Detection database version 12655
Aliases Trojan.Win32.Autoit.fdj (Kaspersky)
Short description

Win32/Autoit.NXW is a trojan designed to deliver various adware/potentially unwanted applications to the user's systems. It is written in AutoIt . The trojan is usually a part of other malware.


The trojan does not create any copies of itself.

The trojan creates the following files:

  • %appdata%\­Mozila\­ver.dat (3 B)
  • %desktop%\­Google Chrome.lnk
  • %desktop%\­Internet Explorer.lnk

The following Registry entries are set:

  • [HKEY_CURRENT_USER\­Software\­Google\­Update\­ClientState\­{8A69D345-D564-463C-AFF1-A69D9E530F96}]
    • "ap" = "2.0-dev-multi-chrome"
  • [HKEY_CURRENT_USER\­Software\­Google\­Update\­ClientState\­{4DC8B4CA-1BDA-483e-B5FA-D3C12E15B62D}]
    • "ap" = "2.0-dev-multi-chrome"
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Samsung Appstore" = ""%appdata%\­Mozila\­autoit.exe" "%appdata%\­Mozila\­up.au3""
Payload information

The trojan installs browser extensions for the following browsers:

  • Google Chrome
  • Mozilla Firefox
Other information

The trojan may delete the following files:

  • %desktop%\­*Chrome*.lnk
  • %desktop%\­*Chrome*.lnk
  • %desktop%\­*Google*.lnk
  • %desktop%\­*Google*.lnk
  • %desktop%\­*Internet*.lnk
  • %desktop%\­*Internet*.lnk
  • %desktop%\­*Explorer*.lnk
  • %desktop%\­*Explorer*.lnk

The trojan may delete the following folders:

  • C:\­Documents and Settings\­%username%\­Application Data\­Mozilla\­Firefox\­Profiles\­%profile%\­extensions
  • C:\­Documents and Settings\­%username%\­AppData\­Roaming\­Mozilla\­Firefox\­Profiles\­%profile%\­extension

The trojan can terminate the following processes:

  • chrome.exe
  • firefox.exe
  • browser.exe
  • opera.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.