When run, TrojanDownloader:Win32/Navattle.A copies itself as the following file:
It creates the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AhnLab V3Lite Update Process"
With data: "%Systemroot%\system32\nusb3mon.exe"
Downloads other files
downloads and runs a file from a certain server. It checks which server to download files from by connecting to:
At the time of this writing, the site is no longer available.
Deletes registry keys
deletes the following registry key, related to the gaming service Battle.net, if it exists:
If you are using this game service, you might experience problems with your account.
Analysis by Jim Wang
The following system changes may indicate the presence of this malware: