Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Installation
When executed, the trojan copies itself in the %windir% folder using the following name:

9129837.exe

The following file is dropped in the same folder:

new_drv.sys (7680 B)

The trojan registers itself as a system service using the following name:

!!!!

In order to be executed on every system start, the trojan sets the following Registry entry:

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
"ttool" = "%windir%\9129837.exe"

 

The following Registry entries are set:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV\0000\Control]
"NewlyCreated" = 0
"ActiveService" = "new_drv"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV\0000]
"Service" = "new_drv"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "!!!!"

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_NEW_DRV]
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv\Enum]
"0" = "Root\LEGACY_NEW_DRV\0000"
"Count" = 1
"NextInstance" = 1

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\new_drv]
"Type" = 1
"Start" = 3
"ErrorControl" = 0
"ImagePath" = "%windir%\new_drv.sys"
"DisplayName" = "!!!!"

[HKEY_CURRENT_USER\Software\Microsoft\InetData]
"k1" = %variable1%
"k2" = %variable2%
"version" = 220

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\SharedAccess]
"Start" = 4

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\wscsvc]
"Start" = 4

 

%variable1%, %variable2% stand for a random text.


Information stealing

Win32/PSW.Small.NAF is a trojan that steals passwords and other sensitive information. The trojan gathers information related to the following services:

FTP

POP3

IMAP

ICQ

The trojan can send the information to a remote machine. The trojan contains a URL address. The HTTP protocol is used.


Other information

The trojan alters the behavior of the following processes:

ALG (Application Layer Gateway Service)

SharedAccess (Windows Firewall/Internet Connection Sharing (ICS))

wscsvc (Security Center)

The trojan may create the following files:

%system%\abcdefg.bat

The trojan may delete files stored in the following folders:

%userprofile%\cookies\

The trojan can download and execute a file from the Internet.