Full description

Virus:	TR/PSW.Nilage.abh.1
Date discovered:	01/12/2006
Type:	Trojan
In the wild:	No
Reported Infections:	Low
Distribution Potential:	Low
Damage Potential:	Medium
Static file:	Yes
File size:	44.217 Bytes
MD5 checksum:	9934b38446510bf7518207a0da22631c
VDF version:	6.36.01.114
IVDF version:	6.36.01.119 - Friday, December 1, 2006

General Method of propagation:
   • No own spreading routine

Aliases:
   • Kaspersky: Trojan-PSW.Win32.Nilage.abh
   • F-Secure: Trojan-PSW.Win32.Nilage.abh
   • Eset: Win32/PSW.Legendmir

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Drops a file
   • Lowers security settings
   • Registry modification
   • Steals information

Files It copies itself to the following locations:
   • %WINDIR%\SERVICES.EXE
   • %SYSDIR%\rundll32.com
   • %SYSDIR%\finder.com
   • %WINDIR%\finder.com
   • %SYSDIR%\command.pif
   • %PROGRAM FILES%\Internet Explorer\iexplore.com
   • %PROGRAM FILES%\Common Files\iexplore.pif
   • %WINDIR%\explorer.com
   • %WINDIR%\1.com
   • %WINDIR%\ExERoute.exe
   • %SYSDIR%\MSCONFIG.COM
   • %SYSDIR%\dxdiag.com
   • %SYSDIR%\regedit.com
   • %WINDIR%\Debug\DebugProgram.exe
   • D:\pagefile.pif

The following file is created:

– D:\autorun.inf This is a non malicious text file with the following content:
   • [autorun]
     OPEN=D:\pagefile.pif

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "Torjan Program"="%WINDIR%\SERVICES.EXE"

The following registry keys are added:

– [HKCR\winfiles]
– [HKCR\winfiles\DefaultIcon]
   • @="%1"

– [HKCR\winfiles\Shell\Open\Command]
   • @="%WINDIR%\ExERoute.exe "%1" %*"

The following registry keys are changed:

– [HKCU\Software\Microsoft\Internet Explorer\Main]
   Old value:
   • "Check_Associations"=%user defined settings%
   New value:
   • "Check_Associations"="No"

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe 1"

– [HKCR\.exe]
   Old value:
   • @="exefiles"
   New value:
   • @="winfiles"

– [HKLM\SOFTWARE\Classes\htmlfile\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– [HKCR\Applications\iexplore.exe\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– [HKCR\CLSID\{871C5380-42A0-1069-A2EA-08002B30309D}\shell\
   OpenHomePage\Command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe""
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.com""

– [HKCR\ftp\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"

– @=""%PROGRAM FILES%\Internet Explorer\iexplore.com" %1"
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.com" -nohome"

– [HKCR\htmlfile\shell\opennew\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" %1"
   New value:
   • @=""%PROGRAM FILES%\common~1\iexplore.pif" %1"

– [HKCR\http\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\common~1\iexplore.pif" -nohome"

– [HKLM\SOFTWARE\Classes\http\shell\open\command]
   Old value:
   • @=""%PROGRAM FILES%\Internet Explorer\iexplore.exe" -nohome"
   New value:
   • @=""%PROGRAM FILES%\common~1\iexplore.pif" -nohome"

Process termination Processes with one of the following strings are terminated:
   • RAVMON; TROJDIE; KPOP; CCENTER; ASSISTSE; KPFW; AGENTSVR; KV; KREG;
      IEFIND; IPARMOR; SVI.EXE; UPHC; RULEWIZE; FYGT; RFWSRV; RFWMA; TROJAN;
      MMSK

Stealing It tries to steal the following information:

– Passwords from the following programs:
   • World of Old Oriental Legends
   • World of Warcraft
   • Zhengtu

– A logging routine is started after one of the following websites are visited:
   • us.logon.worldofwarcraft.com
   • eu.logon.worldofwarcraft.com
   • tw.logon.worldofwarcraft.com

– It captures:
    • Login information

File details Programming language:
The malware program was written in Visual Basic.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
• NSPack

Description inserted by Adriana Popa on Thursday, January 4, 2007
Description updated by Adriana Popa on Friday, January 5, 2007

Back . . . .

Featured PC protection

Free products

Most popular

All products

Bundled Solutions

Workstation

Server

Bundled Solutions

Mail Gateways

Web Gateways

Collaboration Platforms

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools