Win32/PSW.Agent.NVG [Threat Name] go to Threat

Win32/PSW.Agent.NVG [Threat Variant Name]

Category trojan
Size 1549776 B
Aliases Dropper.Agent.AYMH.trojan (AVG)
  TR/Spy.1549776 (Avira)
  Trojan.ADH.2 (Symantec)
Short description

Win32/PSW.Agent.NVG is a trojan that steals sensitive information. The trojan attempts to send gathered information to a remote machine. The trojan is usually bundled within installation packages of various legitimate software. The file is run-time compressed using UPX .

Installation

When executed, the trojan copies itself in some of the the following locations:

  • %temp%\­..\­flash.exe
  • %temp%\­..\­..\­Roaming\­Microsoft\­Windows\­Start Menu\­Programs\­Startup\­flash.exe

In order to be executed on every system start, the trojan sets the following Registry entry:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "flash.exe" = "%temp%\­..\­flash.exe"

The trojan creates the following file:

  • %temp%\­..\­%originalmalwarefilename% (999840 B)

The file is then executed.


The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­System]
    • "EnableLUA" = 0
    • "PromptOnSecureDesktop" = 0
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Security Center]
    • "AntiVirusDisableNotify" = 1
    • "FirewallDisableNotify" = 1
    • "UpdatesDisableNotify" = 1
Information stealing

The trojan searches local drives for files with the following file extensions:

  • .3gp
  • .avi
  • .doc
  • .jpg
  • .mov
  • .mp4
  • .wmv

The trojan attempts to send the found files to a remote machine. The FTP protocol is used.

Other information

The trojan contains a list of (1) addresses.


It tries to download a file from the address. The FTP protocol is used.


The trojan creates the following files:

  • %temp%\­ftp.txt
  • %temp%\­..\­flash.log
  • %temp%\­..\­flash.dl

The trojan executes the following commands:

  • ftp -s:"%temp%\­ftp.txt"
  • cmd.exe /c netsh advfirewall firewall delete rule name=all dir=in program="%systemroot%\­system32\­ftp.exe" protocol=TCP
  • cmd.exe /c netsh advfirewall firewall delete rule name=all dir=in program="%systemroot%\­system32\­ftp.exe" protocol=UDP
  • cmd.exe /c netsh advfirewall firewall delete rule name=all dir=in program="%systemroot%\­syswow64\­ftp.exe" protocol=TCP
  • cmd.exe /c netsh advfirewall firewall delete rule name=all dir=in program="%systemroot%\­syswow64\­ftp.exe" protocol=UDP
  • cmd.exe /c netsh advfirewall firewall add rule name="Logiciel de transfert de fichiers" dir=in action=allow program="%systemroot%\­system32\­ftp.exe" protocol=TCP
  • cmd.exe /c netsh advfirewall firewall add rule name="Logiciel de transfert de fichiers" dir=in action=allow program="%systemroot%\­system32\­ftp.exe" protocol=UDP
  • cmd.exe /c netsh advfirewall firewall add rule name="Logiciel de transfert de fichiers" dir=in action=allow program="%systemroot%\­syswow64\­ftp.exe" protocol=TCP
  • cmd.exe /c netsh advfirewall firewall add rule name="Logiciel de transfert de fichiers" dir=in action=allow program="%systemroot%\­syswow64\­ftp.exe" protocol=UDP
  • cmd.exe net stop wscsvc
  • cmd.exe netsh firewall set opmode disable

Please enable Javascript to ensure correct displaying of this content and refresh this page.