Win32/Spy.Small.NDA [Threat Name] go to Threat

Win32/Spy.Small.NDA [Threat Variant Name]

Category trojan
Size 94720 B
Aliases Win32.HLLM.Graz (Dr.Web)
Short description

The trojan collects various sensitive information. The trojan attempts to send gathered information to a remote machine.


The trojan does not create any copies of itself.

The trojan creates the following file:

  • %appdata%\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­service.lnk

The file is a shortcut to a malicious file.

This way the trojan ensures that the file is executed on every system start.

Information stealing

Win32/Spy.Small.NDA is a trojan that steals sensitive information.

The trojan collects the following information:

  • computer name
  • user name
  • operating system version
  • hardware information
  • information about the operating system and system settings
  • network parameters
  • list of files/folders on a specific drive

The collected information is stored in the following files:

  • %appdata%\­temp\­scoutpost.bin
  • %appdata%\­temp\­scouthead.bin
  • %appdata%\­temp\­scoutlands_base.bin
  • %appdata%\­temp\­scoutlands_%driveletter%_G.bin
  • %appdata%\­temp\­scoutlands_%driveletter%_R.bin
  • %appdata%\­temp\­scoutlands_%driveletter%_N.bin
  • %appdata%\­temp\­scoutlands_%driveletter%_U.bin
  • %temp%\­seeker.gps

The trojan searches local, removable and network drives for files that meet certain criteria.

The trojan attempts to send gathered information to a remote machine.

The trojan contains a URL address. The HTTP protocol is used in the communication.

Other information

The trojan terminates its execution if it detects that it's running in a specific virtual environment.

Trojan detects the presence of the following applications:

  • VMware
  • Oracle VirtualBox

The trojan may attempt to download files from the Internet.

The file is stored in the following location:

  • %appdata%\­fuels.exe

The trojan may execute the following files:

  • %programfiles%\­WinRAR\­Rar.exe
  • %appdata%\­fuels.exe

The trojan executes the following commands:

  • cmd.exe /c "ver > "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "chcp >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "date /t >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "time /t >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "systeminfo >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "net share >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "net use >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "net start >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "net user >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "net localgroup >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "ipconfig /all >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "tasklist >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "tasklist /svc >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "netstat -rn >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "netstat -ao >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "arp -a >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "tracert -h 5 >> "%appdata%\­temp\­scouthead.bin""
  • cmd.exe /c "dir > "%appdata%\­temp\­scoutlands_base.bin""
  • cmd.exe /c "dir "%ProgramFiles%" >> "%appdata%\­temp\­scoutlands_base.bin""
  • cmd.exe /c "dir "%ProgramData%" >> "%appdata%\­temp\­scoutlands_base.bin""
  • cmd.exe /c "dir /s "%userprofile%" >> "%appdata%\­temp\­scoutlands_base.bin""
  • cmd.exe /c "dir /s "%driveletter%:\­" > "%appdata%\­temp\­scoutlands_%driveletter%_G.bin""
  • cmd.exe /c "dir /s "%driveletter%:\­" > "%appdata%\­temp\­scoutlands_%driveletter%_R.bin""
  • cmd.exe /c "dir /s "%driveletter%:\­" > "%appdata%\­temp\­scoutlands_%driveletter%_N.bin""
  • cmd.exe /c "dir /s "%driveletter%:\­" > "%appdata%\­temp\­scoutlands_%driveletter%_U.bin""

The trojan creates the following files:

  • %temp%\­scoutfshs.tmp
  • %temp%\­scoutfshl.tmp
  • %temp%\­vests.bob
  • %temp%\­fmeteorh.log
  • %temp%\­vestiges.pat

Please enable Javascript to ensure correct displaying of this content and refresh this page.