Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Short description
Win32/Agent.NPD installs a backdoor that can be controlled remotely.
Installation
When executed, the trojan drops the following files in the %system% folder:
  • lamhost.dll (14336 B)
  • nvpc32.exe (6656 B)
The trojan registers itself as a system service using the following name:
  • nVidia Program Config


The trojan loads and injects the %system%\lamhost.dll library into the following processes:
  • iexplore.exe
  • explorer.exe
  • services.exe
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NVPC]
    "Type" = 16
    "Start" = 2
    "ErrorControl" = 0
    "ImagePath" = "%system%\nvpc32.exe"
Other information
The trojan serves as a backdoor. It can be controlled remotely.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs.

It can execute the following operations:
  • terminate running processes
  • run executable files
  • download files from a remote computer and/or Internet
  • send files to a remote computer
  • send the list of disk devices and their type to a remote
    computer
  • send the list of running processes to a remote computer
The trojan creates the following files:
  • file.tmp
The trojan may create copies of itself using the following filenames:
  • %temp%\Del%variable%.tmp (26027 B)
A string with variable content is used instead of %variable% .