Follow:

You have been re-routed to the TrojanSpy:Win32/Nivdort.R write up because TrojanSpy%3aWin32%2fNivdort.R has been renamed to TrojanSpy:Win32/Nivdort.R
 

TrojanSpy:Win32/Nivdort.R


TrojanSpy:Win32/Nivdort.R is a trojan that collects sensitive information for an attacker.


What to do now

To detect and remove this threat and other malicious software that may have been installed in your computer, run a full-system scan with an up-to-date antivirus product such as the following:

Additional recovery instructions

This threat might make lasting changes that won't be restored by detecting and removing it. There is more information below about returning your PC to its pre-infected state.
To recreate a clean Hosts file:
See How do I reset the Hosts file back to the default?

Threat behavior

TrojanSpy:Win32/Nivdort.R is a trojan that collects sensitive information for an attacker.
Installation
TrojanSpy:Win32/Nivdort.R creates the following files on your computer:

  • %windir%\temp\z8amauol5y31ldxy.exe
  • <system folder>\fmwhyzhd.exe
  • <system folder>\zmvtedwm.exe
  • <system folder>\brcegmzuea\cfg
  • <system folder>\brcegmzuea\etc
  • <system folder>\brcegmzuea\rng
  • <system folder>\brcegmzuea\run
  • <system folder>\brcegmzuea\tst
  • c:\documents and settings\administrator\local settings\temp\z8amauol5hs8ldxhwz4hp.exe
  • c:\documents and settings\administrator\start menu\programs\startup\zmvtedwm.exe

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Payload
Modifies Hosts file
TrojanSpy:Win32/Nivdort.R modifies the Windows Hosts file. The local Hosts file overrides the DNS resolution of a website URL to a particular IP address. Malicious software may make modifications to the Hosts file in order to redirect specified URLs to different IP addresses. Malware often modifies an affected computer's Hosts file in order to stop users from accessing websites associated with particular security-related applications (such as antivirus for example).

Modifies system security settings
The malware may attempt to disable Firewall notifications from the Windows Security Center by making the following registry modification:

Adds value: "FirewallDisableNotify"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center

Contacts remote hosts
The malware may contact the following remote hosts using port 80:

  • ableeach.net
  • elementarimagine.com
  • jumpgray.net
  • liarshot.net
  • likrlift.net
  • lookloss.net
  • mojoguia.com
  • movegray.net
  • pengthecon.com
  • salthave.net
  • southabout.net
  • tablewash.net
  • theirgreen.net
  • theirlift.net
  • themorrefk.com
  • yourenjoy.net

Commonly, malware may contact a remote host for the following purposes:
  • To confirm Internet connectivity
  • To report a new infection to its author
  • To receive configuration or other data
  • To download and execute arbitrary files (including updates or additional malware)
  • To receive instruction from a remote attacker
  • To upload data taken from the affected computer

This malware description was produced and published using our automated analysis system's examination of file SHA1 097c5f4fae2e77be998b1ebab93ebdc630d1aabe.

Symptoms

System changes
The following could indicate that you have this threat on your PC:

  • The presence of the following files:

  • %windir%\temp\z8amauol5y31ldxy.exe
    <system folder>\fmwhyzhd.exe
    <system folder>\zmvtedwm.exe
    <system folder>\brcegmzuea\cfg
    <system folder>\brcegmzuea\etc
    <system folder>\brcegmzuea\rng
    <system folder>\brcegmzuea\run
    <system folder>\brcegmzuea\tst
    c:\documents and settings\administrator\local settings\temp\z8amauol5hs8ldxhwz4hp.exe
    c:\documents and settings\administrator\start menu\programs\startup\zmvtedwm.exe

  • You see these entries or keys in your registry:
  • Adds value: "FirewallDisableNotify"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Security Center


Prevention


Alert level: Severe
First detected by definition: 1.161.126.0
Latest detected by definition: 1.183.1637.0 and higher
First detected on: Oct 18, 2013
This entry was first published on: Oct 24, 2013
This entry was updated on: Oct 29, 2013

This threat is also detected as:
No known aliases