Trojan:Win32/Nedsym.B

Trojan:Win32/Nedsym.B is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server. The trojan also uses stealth techniques in order to hide its presence on an affected computer.

Installation

Trojan:Win32/Nedsym.B drops a copy of itself in the <system folder> as "QTPLUGIN.EXE".

Note: <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.

Trojan:Win32/Nedsym.B modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Run
Sets value "RegistryMonitor1"
With data: "<system folder>\qtplugin.exe"

The trojan also creates the following registry entries in order to determine the identity of the affected computer:

In subkey: HKLM\Software\Microsoft\Windows\CurrentVersion\Setup
Sets value "RegistryMonitor2"
With data: "<random eight digit number>"

Payload

Contacts remote hosts & distributes spam

Trojan:Win32/Nedsym.B retrieves configuration data from the following C&C servers:

• 72.21.57.202
• 72.36.175.154
• 72.36.234.114
• dl.realstatscollect.com
• spm.freecj.com
• 208.72.169.145
• server55.faster-hosting.com
• server56.faster-hosting.com

This data contains information on spam templates and what Simple Mail Transfer Protocol (SMTP) server it can use.

Trojan:Win32/Nedsym.B also reports the following information back to its C&C server:

• Bot ID
• Computer name
• Computer speed
• System uptime
• Number of successful sent mail
• Number of failed sent mail
• Number of sent mails without receive or reject confirmation
• Delivery report
• Time of last email sent
• Last SMTP server used

This trojan has a built-in SMTP engine and can be used to send bulk unwanted email (spam).

Uses stealth

The trojan drops the following rootkit components in an effort to remain hidden on the affected computer:

• <system folder>\hdport.sys - detected as Trojan:Win32/Rootkit.T
• <system folder>\hdfile.sys - detected as VirTool:WinNT/Musomar.A
• <system folder>\qtprot.sys - detected as Trojan:Win32/Rootkit.S
• <system folder>\qthide.sys - detected as VirTool:WinNT/Musomar.A

Additional information

The trojan uses the following access pages to communicate with the C&C server:

• /stat2.php
• /error.php?
• /report5.php
• /send5.php

Analysis by Zarestel Ferrer