Win32/TrojanDropper.Agent.NGH [Threat Name] go to Threat

Win32/TrojanDropper.Agent.NGH [Threat Variant Name]

Category trojan
Size 43552 B
Aliases Trojan.Win32.Agent.awc (Kaspersky)
  Trojan.Horse (Symantec)
  Generic.dx.trojan (McAfee)
Short description

Win32/TrojanDropper.Agent.NGH is a trojan that steals passwords and other sensitive information. The trojan can send the information to a remote machine.

Installation

When executed the trojan drops in folder %temp% the following file:

  • icq_smile.exe (30182 B)

The file is then executed.


The following Registry entry is set:

  • [HKEY_LOCAL_MACHINE\­SYSTEM\­ControlSet001\­Services\­SharedAccess\­Parameters\­FirewallPolicy\­StandardProfile\­AuthorizedApplications\­List]
    • "%temp%\­icq_smile.exe" = "%temp%\­icq_smile.exe:*:Enabled:Enabled"

The performed data entry creates an exception in the Windows Firewall program.

Information stealing

Win32/TrojanDropper.Agent.NGH is a trojan that steals passwords and other sensitive information. The trojan collects information related to the following applications:

  • The Bat!
  • ICQ
  • Miranda IM
  • &RQ
  • Trillian IM
  • RASDIAL
  • Total Commander
  • Windows Commander
  • Becky! Internet Mail
  • Microsoft Outlook
  • Outlook Express
  • CuteFTP
  • E-Dialer
  • Far
  • WS_FTP Professional
  • Opera
  • Mozzila Firefox
  • QIP
  • Mozilla Thunderbird
  • Mail.Ru
  • Eudora
  • Punto Switcher
  • Gaim
  • FileZilla
  • FlashFXP
  • Windows Live Messenger
  • VDialer
  • SmartFTP
  • Direct FTP
  • RapGet
  • Rapidshare Instant Downloader
  • Universal Share Downloader
  • Windows Remote Desktop

The trojan can send the information to a remote machine.


The trojan contains a list of (1) URLs.


The HTTP protocol is used.

Other information

The trojan interferes with the operation of some security applications to avoid detection.


The trojan may create the following files:

  • %temp%\­ADDINGPADDINGXXPADDINGPADDINGXXPADDINGPADDINGXXPAD
  • %system%\­%variable%.sys

A string with variable content is used instead of %variable% .

Please enable Javascript to ensure correct displaying of this content and refresh this page.