Name:

TrojanDownloader.Nekotimed.a

Added:

February 16, 2012

Type:

Trojan

Risk:

Low

Payload:

N/A

At risk systems:

Windows 95/98/ME/XP/NT/2003

Malware problems?   We can help.  Free Removal Tools.

Description:

When TrojanDownloader.Nekotimed.a is executed, it performs the following activities:

After execution, it drops the following files:
%windir%\system32\-101-163876
%windir%s\ystem32\-85-163876
%windir%\system32\067o.dll
%windir%\system32\17bc
%windir%\system32\6d6d.exe
%windir%\system32\6d6e.dll
%windir%\Tasks\ms.job
%windir%\c16d.exe
%windir%\c16d.flv
%windir%\c16u.bmp

It modifies/creates the following registry entries:

ImagePath = "%windir%system32\6d6d.exe"
HKLM\SYSTEM\ControlSet001\Services\OSTD

EventMessageFile = "%windir%system32\6d6d.exe"
HKLM\SYSTEM\CurrentControlSet\Services\Eventlog\Application\OSTD

InprocServer32\ =  "%windir%system32\067o.dll"
HKLM\SOFTWARE\Classes\CLSID\{FCAA0766-15FC-4aec-A010-F4605D272581}

1.0\0\win32\ = "%windir%system32\067o.dll"
HKLM\SOFTWARE\Classes\TypeLib\{8A4F328C-C9F4-4449-A0DF-A756A6B52ABF}

plc = "%windir%system32\rundll32.exe %windir%system32/6d6e.dll,Always"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

shen Trojan.Mutant.j is executed, it performs the following activities:

After execution, it drops the following files:

%appdata%\0ufx5kllao.exe
%temp%\cdfss
%temp%\sdn4573.tmp
%temp%\sdn8365.tmp
%temp%\sdn94C.tmp
%System%\drivers\wcscd.sys
%Windir%\Temp\sdn442B.tmp
%Windir%\Temp\sdn8757.tmp


It modifies/creates the following registry entries:

0ufx5kllao = "%Appdata%\0ufx5kllao.exe"
HKU\\Software\Microsoft\Windows\CurrentVersion\Run

ImagePath = "%System%\drivers\wcscd.sys"
HKLM\System\CurrentControlSet\Services\wcscd

ImagePath = "%temp%\cdfss"
HKLM\System\CurrentControlSet\Services\cdfss