TROJ_NITOL.BE

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes then deletes itself afterward.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats.

Arrival Details

This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This Trojan drops the following files:

• %System%\{random file name}.dll

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It executes then deletes itself afterward.

Autostart Technique

This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{random}\Parameters
ServiceDll = "%System%\{random filename}.dll"

Other System Modifications

This Trojan adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{random}
Description = "netsvcs_0x0aaaaaaaaaaaaaaaaaaa"

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\{random}\Parameters
ServiceMain = "StartRouter"

Download Routine

This Trojan connects to the following malicious URLs:

• {BLOCKED}.{BLOCKED}.175.208