Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Agent.NRS

Aliases:TrojanDropper:Win32/Malf.gen (Microsoft), Generic Dropper!dag trojan (McAfee), W32/Dropper.gen8!Maximus (F-Prot) 
Type of infiltration:Trojan  
Size:27648 B 
Affected platforms:Microsoft Windows 
Signature database version:5051 (20100422) 

Short description

Win32/Spy.Agent.NRS is a trojan which tries to propagate certain web sites. The trojan program is designed to deliver various advertisements to the user's systems.

Installation

The trojan creates copies of the following files (source, destination):
  • %system%ws2_32.dll, %system%winsocket.dll
The trojan replaces the following files with a copy of itself or with another malware file:
  • %system%ws2_32.dll (21504 B)
The trojan may create the following files:
  • %programfiles%Internet Explorerws2_32.dll (21504 B)
  • %programfiles%Mozilla Firefoxws2_32.dll (21504 B)
The trojan may set the following Registry entries:
  • [HKEY_LOCAL_MACHINESOFTWAREMicrosoftTraditional]
    "stufftime" = %variable1%
    "hostkey" = %variable2%
    "referer" = %variable3%
    "excludekey" = %variable4%
    "stuffurl" = %variable5%
    "stuffhostkey" = %variable6%
A string with variable content is used instead of %variable1-6%.

Information stealing

The following information is collected:
  • list of disk devices and their type
The trojan can send the information to a remote machine.

Other information

The trojan acquires data and commands from a remote computer or the Internet.

The trojan contains a list of (2) URLs. The HTTP protocol is used.

It can execute the following operations:
  • run executable files