1. Symantec-Broadcom-Horizontal/
  2. Security Response/
  3. Attack Signatures/
  4. System Infected: Trojan.Naid Activity 2

System Infected: Trojan.Naid Activity 2

Severity: High

This attack could pose a serious security threat. You should take immediate action to stop any damage or prevent further damage from happening.

Description

Trojan.Naid is a Trojan horse that opens a back door on the compromised computer.

Additional Information

When the Trojan is executed, it creates the following files:

%UserProfile%\AppMgmt.dll
%Windir%\Temp\uid.ax


The Trojan creates the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Start" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\Parameters\"ServiceDll" = "%UserProfile%\AppMgmt.dll"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Type" = "272"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"FailureActions" = "[BINARY DATA]"


The Trojan may create one of the following services so that it runs every time Windows starts:

AppMgmt
BITS


The Trojan collects the following system information from the compromised computer:

domain name
unique identifier (UID)


The Trojan utilises its own custom communications protocol to connect to the following IP address over port 443:
219.90.117.132

The Trojan then opens a back door on the compromised computer.

Affected

  • Windows 2000, Windows 7, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows Server 2008, Windows Vista, Windows XP
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube