Backdoor.Nithsys

Printer Friendly Page

Discovered: April 18, 2006
Updated: April 27, 2006 12:39:59 PM
Also Known As: PWSteal.Trojan [Symantec]
Systems Affected: Windows

Backdoor.Nithsys is a Trojan horse that opens a back door on the compromised computer. It is dropped by Trojan.PPDropper. (MCID 7528)

Antivirus Protection Dates

  • Initial Rapid Release version April 27, 2006
  • Latest Rapid Release version June 06, 2017 revision 022
  • Initial Daily Certified version April 27, 2006
  • Latest Daily Certified version June 07, 2017 revision 002
  • Initial Weekly Certified release date April 19, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Discovered: April 18, 2006
Updated: April 27, 2006 12:39:59 PM
Also Known As: PWSteal.Trojan [Symantec]
Systems Affected: Windows

Backdoor.Nithsys is a Trojan horse that opens a back door on the compromised computer. It is dropped by Trojan.PPDropper. (MCID 7528)

When the Trojan is first installed, it creates the following files:
%System%\wbem\wmiadapt.exe
%System%\systhin.dll

The Trojan may then create the following registry entries so that it is executed every time Windows starts:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\"shell" = "Explorer.exe %System%\wbem\wmiadapt.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"[RANDOM NAME]" = "[PATH TO FILE]"

The Trojan injects %System%\systhin.dll into the svchost.exe system process.

The Trojan then attempts to contact the following remote host using TCP port 6004:
6004.ugly.as

The threat may download and execute a remote file which is saved on the compromised computer as:
%System%\systanten.exe