Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

When executed, the trojan copies itself in the %windir% folder using the following name:


The following file is dropped in the same folder:

new_drv.sys (7680 B)

The trojan registers itself as a system service using the following name:


In order to be executed on every system start, the trojan sets the following Registry entry:

"ttool" = "%windir%\9129837.exe"


The following Registry entries are set:

"NewlyCreated" = 0
"ActiveService" = "new_drv"

"Service" = "new_drv"
"Legacy" = 1
"ConfigFlags" = 0
"Class" = "LegacyDriver"
"ClassGUID" = "{8ECC055D-047F-11D1-A537-0000F8753ED1}"
"DeviceDesc" = "!!!!"

"NextInstance" = 1

"0" = "Root\LEGACY_NEW_DRV\0000"
"Count" = 1
"NextInstance" = 1

"Type" = 1
"Start" = 3
"ErrorControl" = 0
"ImagePath" = "%windir%\new_drv.sys"
"DisplayName" = "!!!!"

"k1" = %variable1%
"k2" = %variable2%
"version" = 220

"Start" = 4

"Start" = 4


%variable1%, %variable2% stand for a random text.

Information stealing

Win32/PSW.Small.NAF is a trojan that steals passwords and other sensitive information. The trojan gathers information related to the following services:





The trojan can send the information to a remote machine. The trojan contains a URL address. The HTTP protocol is used.

Other information

The trojan alters the behavior of the following processes:

ALG (Application Layer Gateway Service)

SharedAccess (Windows Firewall/Internet Connection Sharing (ICS))

wscsvc (Security Center)

The trojan may create the following files:


The trojan may delete files stored in the following folders:


The trojan can download and execute a file from the Internet.