Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/PSW.Agent.NPI

Aliases:Trojan-Spy.Win32.Agent.bcqg (Kaspersky), Trojan:Win32/Trafog!rts (Microsoft), Generic PWS.y!bts (McAfee) 
Type of infiltration:Trojan  
Size:275968 B 
Affected platforms:Microsoft Windows 
Signature database version:4811 (20100127) 

Short description

The trojan is designed to artificially generate traffic to certain Internet sites. The file is run-time compressed using UPX.

Installation

When executed, the trojan creates the following files:
  • %system%scvhost.exe (275968 B)
  • %windir%shot.pre
  • %windir%sunx.reg
In order to be executed on every system start, the trojan sets the following Registry entries:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    Run]
    "DirectX For Microsoft® Windows" = "%system%scvhost.exe -ax"
  • [HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
    Run]
    "DirectX For Microsoft® Windows" = "%system%scvhost.exe -ax"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyDomainProfile
    AuthorizedApplicationsList]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess
    ParametersFirewallPolicyStandardProfileAuthorizedApplications
    List]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyStandardProfile
    AuthorizedApplicationsList]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    SharedAccessParametersFirewallPolicyDomainProfile
    AuthorizedApplicationsList]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess
    ParametersFirewallPolicyStandardProfileAuthorizedApplications
    List]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
  • [HKEY_LOCAL_MACHINESYSTEMControlSet001ServicesSharedAccess
    ParametersFirewallPolicyDomainProfileAuthorizedApplications
    List]
    "%system%scvhost.exe" = "%system%scvhost.exe:*:Enabled:sounddrv.exe"
The performed data entry creates an exception in the Windows Firewall program.

The following Registry entries are set:
  • [HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersion
    PoliciesExplorer]
    "NofolderOptions" = 1
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControl
    Lsa]
    "force-guest" = 0
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows NTCurrentVersion
    SystemRestore]
    "DisableSR" = 1
    "DisableConfig" = 1
The following Registry entry is deleted:
  • [HKEY_CURRENT_USERAppEventsSchemesAppsExplorerNavigating
    .Current]

Other information

The trojan sends HTTP requests to simulate clicks on banner advertisements, to inflate web counter statistics etc.

The trojan is sent data and commands from a remote computer or the Internet.

The trojan contains a list of (1) URLs. The HTTP protocol is used.

It can execute the following operations:
  • update itself to a newer version
The trojan may create the following files:
  • %wnidir%update.exe