Follow:

 

TrojanDownloader:Win32/Nemim.gen!A


TrojanDownloader:Win32/Nemim.gen!A is a trojan that downloads files, possibly malicious, on to your computer.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

TrojanDownloader:Win32/Nemim.gen!A may arrive on your computer as the file name "igfxext.exe" that appears as part of a display graphics driver, in an effort to look inconspicuous.

Payload

Downloads and runs files

The trojan attempts to connect to one of the following URLs to download and run a file names "ctfmon.exe":

  • auto24col.info/bin/read_i.php?a1= < data >
  • autoban.phpnet.us/bin/read_i.php?a1=< data >
  • autoban.phpnet.us/bin/read_i.php?a1=< data>
  • autobrown.gofreeserve.com/bin/read_i.php?a1=< data>
  • autochecker.myftp.biz/bin/read_i.php?a1=< data>
  • autochecker.myftp.biz/bin/read_i.php?a1=< data>
  • autoken.scienceontheweb.net/bin/read_i.php?a1=< data>
  • automobile.it.cx/bin/read_i.php?a1=< data>
  • autopapa.noads.biz/bin/read_i.php?a1=< data>
  • autopara.oliwy.net/bin/read_i.php?a1=< data>
  • autoparts.phpnet.us/bin/read_i.php?a1=< data>
  • autosail.ns01.biz/bin/read_i.php?a1=< data>
  • autovonmanstein.x10.mx/bin/read_i.php?a1=< data>
  • autozone.000space.com/bin/read_i.php?a1=< data>
  • blonze.createandhost.com/bin/read_i.php?a1=< data>
  • gamepia008.my5gigs.com/bin/read_i.php?a1=< data>
  • gamepia008.my5gigs.com/bin/read_i.php?a1=< data>
  • goldblacktree.waldennetworks.com/bin/read_i.php?a1=< data>
  • gurunichi.createandhost.com/bin/read_i.php?a1=< data>
  • rainbowbbs.mywebcommunity.org/bin/read_i.php?a1=< data>
  • rootca.000space.com/bin/read_i.php?a1=< data>
  • silverbell.000space.com/bin/read_i.php?a1=< data>

Note: <data> is the encrypted information the trojan steals, in Base64 encoded form. See the Steals information about your computer section below for more details.

Once downloaded, "ctfmon.exe" will be detected as either of the following:

Steals information about your computer

 TrojanDownloader:Win32/Nemim.gen!A has been observed stealing the following information about your computer:

  • The version of Windows installed on your computer and service pack details
  • Your computer's language settings
  • Your computer's name
  • The user name of the currently logged-in user
  • The number of USB ports on your computer

Deletes files

When executed, it attempts to delete the following files in the directory where this malware is located in an effort to hide its presence; once deleted, these files will no longer be recoverable:

  • automngr.exe
  • ctfmon.exe
  • dmaup1.exe
  • dmaup2.exe
  • dmaup3.exe
  • dmaup4.exe
  • rstimgr.dll
  • rstimgr.inf
  • smcnmgr.exe
  • winmsgr.exe

Analysis by Jonathan San Jose


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following files:

    igfxext.exe
    ctfmon.exe

Prevention


Alert level: Severe
First detected by definition: 1.143.2126.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Feb 12, 2013
This entry was first published on: Feb 12, 2013
This entry was updated on: Apr 15, 2013

This threat is also detected as:
No known aliases