Follow:

 

TrojanDownloader:Win32/Navattle.A


TrojanDownloader:Win32/Navattle.A downloads and runs other files. It deletes a registry entry related to the gaming service Battle.net.



What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

Threat behavior

Installation

When run, TrojanDownloader:Win32/Navattle.A copies itself as the following file:

%Systemroot%\system32\nusb3mon.exe

It creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AhnLab V3Lite Update Process"
With data: "%Systemroot%\system32\nusb3mon.exe"

Payload

Downloads other files

TrojanDownloader:Win32/Navattle.A downloads and runs a file from a certain server. It checks which server to download files from by connecting to:

blogspot-china.l.google.com/<blocked>

At the time of this writing, the site is no longer available.

Deletes registry keys

TrojanDownloader:Win32/Navattle.A deletes the following registry key, related to the gaming service Battle.net, if it exists:

HKCU\Software\Blizzard Entertainment\Battle.net\Identity

If you are using this game service, you might experience problems with your account.

Analysis by Jim Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following file:
    %Systemroot%\system32\nusb3mon.exe
  • The presence of the following registry modification:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    Sets value: "AhnLab V3Lite Update Process"
    With data: "%Systemroot%\system32\nusb3mon.exe"

  • If you have a Battle.net account, it might not be working properly.

Prevention


Alert level: Severe
First detected by definition: 1.141.135.0
Latest detected by definition: 1.173.2181.0 and higher
First detected on: Nov 21, 2012
This entry was first published on: Nov 21, 2012
This entry was updated on: Jan 03, 2013

This threat is also detected as:
  • Trojan.Navattle!4D19 (Rising AV)