Avira Virus Lab

DDoS/Nitol.A.336

  • Name
    DDoS/Nitol.A.336
  • Date discovered
    Oct 6, 2015
  • Type
    Malware
  • Impact
    Medium 
  • Reported Infections
    Low 
  • Operating System
    Windows
  • VDF version
    7.11.63.68 (2013-03-01 15:46)

Stay safe from all these threats with Avira Free Antivirus.

Avira Free Antivirus Download Free

The term 'DDOS' denotes a program that is able to perform distributed denial of service attacks such as on certain Internet sites.

  • VDF
    7.11.63.68 (2013-03-01 15:46)
  • Aliases
    Avast: Win32:Agent-ATKL
    AVG: Generic18.MDX
    ClamAV: Trojan.MicroFake-1
    Dr. Web: Trojan.DownLoader13.1900
    F-PROT: W32/MalwareF.YMPW (exact)
    McAfee: Generic.oa
    Trend Micro: WORM_MICROFAKE.B
    Microsoft: DDoS:Win32/Nitol
    G Data: Trojan.Microfake.D
    Kaspersky Lab: Trojan.Win32.MicroFake.ba
    Bitdefender: Trojan.Microfake.D
    ESET: Win32/Agent.RNS trojan
  • Files
    The following files are created:
    • %SYSDIR%\aaaaaa.exe
    • %SYSDIR%\hra33.dll
    The following files are renamed:
    • %TEMPDIR%\hrl2.tmp
    • %DISKDRIVE%\RCX3.tmp
    The following files are deleted:
    • %SYSDIR%\hra33.dll
    The following copies of itself are created:
    • %DISKDRIVE%\RCX3.tmp
    • %DISKDRIVE%\Documents and Settings\All Users\Application Data\Adobe\Reader\9.2\ARM\lpk.dll
    • %TEMPDIR%\Microsoft .NET Framework 4 Setup_4.0.30319\lpk.dll
    • %TEMPDIR%\lpk.dll
    • %TEMPDIR%\{62198C42-974B-4F90-9AD2-12763AB58C97}~setup\lpk.dll
    • %temporary internet files%\Content.IE5\5KMEPSXE\lpk.dll
    • %temporary internet files%\Content.IE5\LV2JIAKP\lpk.dll
    • %temporary internet files%\Content.IE5\QH9ZEEV0\lpk.dll
    • %DISKDRIVE%\hips\lpk.dll
    • %DISKDRIVE%\incoming\lpk.dll
    • %DISKDRIVE%\lpk.dll
    • %PROGRAM FILES%\Adobe\Reader 9.0\Reader\lpk.dll
    • %PROGRAM FILES%\Adobe\Reader 9.0\Setup Files\{AC76BA86-7AD7-1033-7B44-A92000000001}\lpk.dll
    • %PROGRAM FILES%\Common Files\Adobe\ARM\1.0\lpk.dll
    • %PROGRAM FILES%\Common Files\Adobe\Updater6\lpk.dll
    • %PROGRAM FILES%\Common Files\Java\Java Update\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\DW\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\MSInfo\lpk.dll
    • %PROGRAM FILES%\Common Files\Microsoft Shared\Speech\lpk.dll
    • %PROGRAM FILES%\FileZilla Server\lpk.dll
    • %PROGRAM FILES%\Internet Explorer\Connection Wizard\lpk.dll
    • %PROGRAM FILES%\Internet Explorer\lpk.dll
    • %PROGRAM FILES%\Java\jre6\bin\lpk.dll
    • %PROGRAM FILES%\Messenger\lpk.dll
    • %PROGRAM FILES%\Movie Maker\lpk.dll
    • %PROGRAM FILES%\Mozilla Firefox\lpk.dll
    • %PROGRAM FILES%\Mozilla Firefox\uninstall\lpk.dll
    • %PROGRAM FILES%\MSN\MSNCoreFiles\Install\MSN9Components\lpk.dll
    • %PROGRAM FILES%\MSN\MSNCoreFiles\Install\lpk.dll
    • %PROGRAM FILES%\MSN Gaming Zone\Windows\lpk.dll
    • %PROGRAM FILES%\NetMeeting\lpk.dll
    • %PROGRAM FILES%\Outlook Express\lpk.dll
    • %PROGRAM FILES%\VMware\VMware Tools\lpk.dll
    • %PROGRAM FILES%\Windows Media Player\lpk.dll
    • %PROGRAM FILES%\Windows NT\Accessories\lpk.dll
    • %PROGRAM FILES%\Windows NT\lpk.dll
    • %PROGRAM FILES%\Windows NT\Pinball\lpk.dll
    • %PROGRAM FILES%\WinPcap\lpk.dll
    • %DISKDRIVE%\totalcmd\lpk.dll
    The following files are changed:
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\Temporary Internet Files\Content.IE5\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Cookies\index.dat
    • %DISKDRIVE%\Documents and Settings\LocalService\Local Settings\History\History.IE5\index.dat
  • Injections
    • %SYSDIR%\svchost.exe
  • Registry
    The following registry entries are added:
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pBrcKfgDa ("Type": dword:00000010; "Start": dword:00000002; "ErrorControl": dword:00000000; "ImagePath": "%SYSDIR%\aaaaaa.exe"; "DisplayName": "2W7Gcy7QuU2p3R"; "ObjectName": "LocalSystem")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pBrcKfgDa\Security ("Security": %hex values%)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PBRCKFGDA ("NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PBRCKFGDA\0000 ("Service": "pBrcKfgDa"; "Legacy": dword:00000001; "ConfigFlags": dword:00000000; "Class": "LegacyDriver"; "ClassGUID": "{8ECC055D-047F-11D1-A537-0000F8753ED1}"; "DeviceDesc": "2W7Gcy7QuU2p3R")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_PBRCKFGDA\0000\Control ("*NewlyCreated*": dword:00000000; "ActiveService": "pBrcKfgDa")
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pBrcKfgDa\Enum ("0": "Root\LEGACY_PBRCKFGDA\0000"; "Count": dword:00000001; "NextInstance": dword:00000001)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\ServiceCurrent (@: dword:0000000f)
    • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\pBrcKfgDa ("Description": "QdzAkD1pfhNNN0jRXuYDqGFcf24khh")

Help make the web safer by sending us suspicious files/URLs to analyze

Submit your file/URL or Go to support.avira.com

Why submit a suspicious file?

If you encountered a suspicious file or website that’s not in our database, we’ll analyze it and determine whether it’s harmful. Our findings are then pushed out to our millions of users with their next virus database update. If you have Avira, you’ll get that update too. Don’t have Avira? Get it on our homepage.