Win32/Inject.NAF [Threat Name] go to Threat

Win32/Inject.NAF [Threat Variant Name]

Category trojan
Size 404029 B
Detection created Jun 30, 2007
Detection database version 2365
Aliases Generic5.BZX (Grisoft)
  BehavesLike:Win32.ExplorerHijack (BitDefender)
  VirTool:Win32/Obfuscator.C (Microsoft)
Short description

Win32/Inject.NAF installs a backdoor that can be controlled remotely.

Installation

When executed the trojan drops in folder %temp% the following file:

  • sy.exe (7940 B)

The following files are dropped into the %system% folder:

  • rpcrt2.dll (5061 B)
  • rpcInit.exe (1900 B)

The library rpcrt2.dll is loaded and injected into the following process:

  • iexplore.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­policies\­Explorer\­Run]
    • "rpcinit" = "%system%\­rpcInit.exe"
Other information

The file %system%\rpcrt2.dll is a trojan .


It can be controlled remotely.


It may perform the following actions:

  • terminate running processes
  • run executable files
  • send the list of running processes to a remote computer
  • set file attributes
  • delete folders
  • create folders
  • move files
  • download files from a remote computer and/or the Internet
  • send files to a remote computer
  • send the list of disk devices and their type to a remote computer

Please enable Javascript to ensure correct displaying of this content and refresh this page.