Virus:TR/NSAnti.B.9
Date discovered:01/08/2006
Type:Trojan
In the wild:No
Reported Infections:Low
Distribution Potential:Low
Damage Potential:Low to medium
Static file:Yes
File size:28.816 Bytes
MD5 checksum:051c235f29cb1d2d0Ebc499df81e83e9
VDF version:6.35.01.29 - Tuesday, August 1, 2006
IVDF version:6.35.01.29 - Tuesday, August 1, 2006

 General Method of propagation:
   • No own spreading routine


Aliases:
   •  Symantec: Infostealer.Lineage
   •  Kaspersky: Trojan-PSW.Win32.QQPass.hd
   •  Bitdefender: Trojan.NSAnti.B


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops a file
   • Drops a malicious file
   • Records keystrokes
   • Registry modification
   • Steals information

 Files It copies itself to the following location:
   • %SYSDIR%\SVCH0ST.EXE



The following files are created:

%SYSDIR%\mmdat.dat This is a non malicious text file with the following content:
   • %malware execution directory%\%executed file%

%SYSDIR%\ntdll32.dll Further investigation pointed out that this file is malware, too. Detected as: TR/Spy.Agent.ct.4.A

 Registry The following registry key is added in order to run the process after reboot:

– HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • "SVCHOST"="%SYSDIR%\SVCH0ST.EXE"



The following registry key is added:

– HKCR\exefile\shell\open\command
   • "(Default)"="%SYSDIR%\SVCH0ST.EXE %1 %*"

 Email It doesn't have its own spreading routine but it has the ability to send an email. It is most likely that the receiver is the author. The characteristics are described below:


From:
The sender address is spoofed.
The sender of the email is the following:
   • 96262@96262.net <96262@96262.net>


To:
The recipient of the email is the following:
   • 665951@QQ.com <665951@QQ.com>


Subject:
The following:
   • %random character string%



Body:

   • %stolen information%



The email looks like the following:


 Stealing It tries to steal the following information:
– Passwords typed into 'password input fields'

– It captures:
    • Window information

 Miscellaneous It creates the following Mutexes:
   • "MimaThief"
   • "MMSHARED"

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Marius T. Nicolae on Wednesday, August 9, 2006
Description updated by Marius T. Nicolae on Wednesday, August 23, 2006

Back . . . .