Win32/Inject.NDR [Threat Name] go to Threat

Win32/Inject.NDR [Threat Variant Name]

Category trojan,worm
Size 319488 B
Aliases Worm.Win32.AutoRun.bliz (Kaspersky)
  Trojan:Win32/Rimecud (Microsoft)
  W32.Pilleuz (Symantec)
Short description

Win32/Inject.NDR is a worm that spreads via removable media. The worm contains a backdoor. It can be controlled remotely.


When executed, the worm copies itself into the following location:

  • %appdata%\­djjqs.exe

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows NT\­CurrentVersion\­Winlogon]
    • "Taskman" = "%appdata%\­djjqs.exe"
    • "Shell" = "explorer.exe,%appdata%\­djjqs.exe"
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • little.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

Other information

The worm creates and runs a new thread with its own program code within the following processes:

  • explorer.exe

The worm receives data and instructions for further action from the Internet or another remote computer within its own network (botnet).

It can execute the following operations:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • set up a proxy server
  • spread via MSN network

Please enable Javascript to ensure correct displaying of this content and refresh this page.