Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

Win32/Spy.Agent.NSO

Aliases:Trojan-Downloader.Win32.Tiny.cmq (Kaspersky), Trojan:Win32/Chymine.A (Microsoft), Backdoor.Trojan (Symantec), 
Type of infiltration:Trojan  
Size:142848 B 
Affected platforms:Microsoft Windows 
Signature database version:5302 (20100722) 

Short description

Win32/Spy.Agent.NSO is a trojan that steals sensitive information. The trojan can send the information to a remote machine. Trojan is probably a part of other malware.

Installation

When executed, the trojan creates the following files:
  • %temp%..%variable1%.dll (126464 B)
  • %temp%%variable2%.tmp
  • %allusersprofile%rundll32
  • %system%%variable3%.dll
The trojan creates copies of the following files (source, destination):
  • %system%rundll32.exe, %temp%..%variable1%.exe
The trojan executes the following command:
  • %temp%..%variable1%.exe shell32.dll,Control_RunDLLA
    "%temp%..%variable1%.dll"
The following Registry entries are created:
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Iprip]
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 1
    "ImagePath" = "%systemroot%system32svchost.exe -k
    netsvcs"
    "DisplayName" = "Iprip"
    "ObjectName" = "LocalSystem"
    "Description" = "Iprip"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    Iprip]
    "Type" = 32
    "Start" = 2
    "ErrorControl" = 1
    "ImagePath" = "%systemroot%system32svchost.exe -k
    netsvcs"
    "DisplayName" = "Iprip"
    "ObjectName" = "LocalSystem"
    "Description" = "Iprip"
  • [HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices
    IpripParameters]
    "ServiceDll" = ".%variable3%"
This causes the trojan to be executed on every system start.

A string with variable content is used instead of %variable1-3%.

Information stealing

Win32/Spy.Agent.NSO is a trojan that steals sensitive information.

The trojan acquires data and commands from a remote computer or the Internet. The trojan contains an URL address. The HTTP protocol is used.

The following information is collected:
  • operating system version
  • CPU information
  • installed software
  • computer name
  • list of disk devices and their type
It may perform the following actions:
  • log keystrokes
  • capture webcam video/voice
The trojan can send the information to a remote machine.