Win32/PSW.Agent.NSN [Threat Name] go to Threat

Win32/PSW.Agent.NSN [Threat Variant Name]

Category trojan,worm
Size 323048 B
Aliases Trojan.Win32.Mepaow.lgg (Kaspersky)
  HackTool:Win32/MessenPass (Microsoft)
  Trojan.Gen (Symantec)
Short description

Win32/PSW.Agent.NSN is a worm that spreads via removable media. The file is run-time compressed using PEtite .


When executed the worm copies itself in the following locations:

  • %windir%\­drivers\­ATI.exe
  • %temp%\­internet explorer\­iexplorer.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "ATI" = "%windir%\­drivers\­ATI.exe"

The worm creates the following files:

  • %temp%\­internet explorer\­photoe007.jpg (16707 B)
  • %temp%\­internet explorer\­video.avi (66377 B, Win32/MPass.A)

The files are then executed.

Spreading on removable media

Win32/PSW.Agent.NSN is a worm that spreads via removable media.

The worm copies itself into the root folders of removable drives using the following name:

  • photoe007.scr
Information stealing

Win32/PSW.Agent.NSN is a worm that steals passwords and other sensitive information.

The worm collects the following information:

  • login user names for certain applications/services
  • login passwords for certain applications/services

The following programs are affected:

  • AIM
  • AIM Pro.
  • AOL Instant Messenger
  • Digsby
  • GAIM/Pidgin
  • Google Talk
  • ICQ Lite
  • Miranda
  • MSN Messenger
  • MySpace IM
  • PaltalkScene
  • Trillian
  • Trillian Astra
  • Windows Live Messenger (In Windows XP/Vista/7)
  • Windows Messenger
  • Yahoo Messenger

The worm can send the information to a remote machine.

The worm contains a list of (1) addresses. The TCP protocol is used.

Other information

It can execute the following operations:

  • capture screenshots
  • send gathered information

The worm displays the following picture:

Please enable Javascript to ensure correct displaying of this content and refresh this page.