1. Symantec/
  2. Security Response/
  3. Trojan.Nurevil

Trojan.Nurevil

Risk Level 1: Very Low

Discovered:
June 27, 2013
Updated:
July 3, 2013 11:33:14 AM
Systems Affected:
Windows
This Trojan may be downloaded by Downloader.Nurevil.

When the Trojan is executed, it creates the following file:
%System%\crypt.dll

The Trojan then creates the following registry entries:
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\Version\"(Default)" = "1.0"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\TypeLib\"(Default)" = "{C8647D94-D767-4D5E-AE99-6FC65E52FBF9}"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\InprocServer32\"(Default)" = "%System%\crypt.dll"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\InprocServer32\"ThreadingModel" = "Apartment"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"(Default)" = "HelloWorldBHO Class"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"(Default)" = "HelloWorldBHO"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\{8D26D304-3890-4ED7-9A8E-FBAC954440AE}\"NoExplorer" = "1"

Note: The above registry entries registers the dropped DLL as a browser help object (BHO).

The Trojan monitors for access to the following websites:
  • www.itembay.com
  • www.itemmania.com
  • paypal.com

If access to the above sites is detected, it will then display adverts retrieved from the following IP address:
204.45.158.83
Writeup By: Jeet Morparia & Takayoshi Nakayama
Summary| Technical Details| Removal

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube