Trojan:Win32/Nedsym.G is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server.
Installation
When executed, the trojan drops a copy of itself in the following folder:
- %USERPROFILE%\Application Data\FW-<random nine digit number>.exe
Trojan:Win32/Nedsym.G modifies the following registry entries to ensure that its copy executes at each Windows start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Firewall 2.9"
With data: "%USERPROFILE%\Application Data\FW-<random nine digit number>.exe /s"
Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user> or C:\Users\<user>; and for XP, Vista, and 7 is C:\Users\<user name>.
Trojan:Win32/Nedsym.G creates mutex "MSCTF.Shared.MUTEX.LDR" in order to verify if another copy of the trojan is running in the affected computer.
The trojan drops and loads two DLL components which replaces the file DESKTOP.INI and creates NTUSER.DAT in the following folder:
- %USERPROFILE%\Application Data\
The component file, DESKTOP.INI, is used for encrypting the communication with the C&C server, while NTUSER.DAT is used for compressing the information sent to the C&C server.
The trojan also creates the following registry entries in order to determine the identity of the affected computer:
In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Sets value: "SavedLegacySettingsML"
With data: <generated user ID>
Payload
Steals sensitive information
Trojan:Win32/Nedsym.G also collects user name and password credentials from visited websites, and those saved by the browser. It retrieves this information from the following registry key:
- HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2
The trojan has been observed stealing user names and passwords from specified applications, for example:
- Internet Explorer
- Mozilla Firefox
- The Bat! email application
Contacts remote hosts & distributes spam
Trojan:Win32/Nedsym.G retrieves configuration data about its spam details, templates and SMTP servers from its C&C server.
It generates a random domain name based on date and time. It appends the following to the domain name in order to send and access information to and from its C&C server.
- /stat1.php
- /stat2.php
- /logacc.php
- /error.php?
- /u.php?
- /smtps.php
Analysis by Zarestel Ferrer