TROJ_NITOL.CU
DDoS:Win32/Nitol.A (Microsoft); Trojan.Win32.ServStart (Ikarus); Trojan.Nitol.A 20150703 (CAT-QuickHeal); TrojWare.Win32.Nitol.AHQ (Comodo); Trojan.Win32.Nitol.b (v) (AVware)
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %WINDOWS%\{random filename}.exe
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Stuvwx Abcdefgh Jkl
ImagePath = "%WINDOWS%\{random filename}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Stuvwx Abcdefgh Jkl
DisplayName = "Stuvwx Abcdefgh Jklmnopq Stuv"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Stuvwx Abcdefgh Jkl
Start = "2"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Stuvwx Abcdefgh Jkl
Description = "Stuvwxya Cdefghijk Mnopqrs Uvwxyabc Efg"
It registers as a system service to ensure its automatic execution at every system startup by adding the following registry keys:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Stuvwx Abcdefgh Jkl
Other Details
This Trojan connects to the following possibly malicious URL:
- {BLOCKED}gk.{BLOCKED}njkc.com:8090
- {BLOCKED}kc.ddns.net
It deletes itself after execution.