TROJ_NITOL.LS
Windows
Threat Type: Trojan
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
It deletes itself after execution.
TECHNICAL DETAILS
Arrival Details
This Trojan arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.
Installation
This Trojan drops the following copies of itself into the affected system and executes them:
- %System%\{random filename}.exe
(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)
Autostart Technique
This Trojan registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\aspnet_statesbot
ImagePath = "%System%\{random filename}.exe"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\
Services\aspnet_statesbot
DisplayName = "ASP.NET State Servicesnmx Transaction Coordinator Service"
Other Details
This Trojan connects to the following possibly malicious URL:
- rat2.{BLOCKED}li.com
- rat3.{BLOCKED}li.com
- rat4.{BLOCKED}li.com
- whq2222.{BLOCKED}2.org
It deletes itself after execution.