Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/PWD.Agent.NAD

Introduction:

Win32/PWD.Agent.NAD is a 30284 byte Trojan, used for mass-spamming. This Trojan lowers security settings by trying to install proxy functionality. The Trojan is runtime packed by UPack, an executable runtime packer, and patched by manual opcode manipulation.

Installation and Autostart Techniques:

The Trojan adds the following keys to the registry to make sure that it runs every time Windows is started:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run
"WindowsUpdate" = "{TrojanPath and Name}"

Win32/PWD.Agent.NAD provides a server-side php administration system, where preconfigured templates (normal text files) can be sent to all people listed in the database system. The Trojan is also able to determine if it can use AIM email addresses on the infected system for spamming purposes.

The Trojan tries to install a Proxy and notifies the Online Database Structure with successful infiltration.

Every time the Trojan is started it reports its activity to the web-server. This lets the hacker knows how many infected systems are "ready-to-use" for spamming. The difference between Total registered and Active is that the Trojan might still exist on the machines, but these machines were not seen online within the last 24 hours.

According to the huge infection number listed by "Created during last week", we assume that this Trojan was first launched last week.

Users of NOD32 were proactively protected from this threat, NOD32 detected this Trojan heuristically.

The Trojan tries to auto-update itself from "best{REMOVED}on.biz" using files named update.exe and/or "linkto1.6.exe". The IP address of the infected machine is logged by the"receive.php" script it calls.

The Trojan contacts "http://{REMOVED}.clslate1703.info" for all PHP logging and updating purposes.

History: Analysis and Write-up by: Michael St. Neitzel