Follow:

You have been re-routed to the Trojan:Win32/Nedsym.G write up because Trojan%3aWin32%2fNedsym.G has been renamed to Trojan:Win32/Nedsym.G
 

Trojan:Win32/Nedsym.G


Trojan:Win32/Nedsym.G is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server.


What to do now

To detect and remove this threat and other malicious software that may be installed on your computer, run a full-system scan with an appropriate, up-to-date, security solution. The following Microsoft products detect and remove this threat:

For more information on antivirus software, see http://www.microsoft.com/windows/antivirus-partners/.

Threat behavior

Trojan:Win32/Nedsym.G is a trojan that distributes spam email messages. It also collects information about the affected computer, and sends it back to its command and control (C&C) server.

Installation

When executed, the trojan drops a copy of itself in the following folder:

  • %USERPROFILE%\Application Data\FW-<random nine digit number>.exe

Trojan:Win32/Nedsym.G modifies the following registry entries to ensure that its copy executes at each Windows start:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Microsoft Firewall 2.9"
With data: "%USERPROFILE%\Application Data\FW-<random nine digit number>.exe /s"

Note: %USERPROFILE% refers to a variable location that is determined by the malware by querying the operating system. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user> or C:\Users\<user>; and for XP, Vista, and 7 is C:\Users\<user name>.

Trojan:Win32/Nedsym.G creates mutex "MSCTF.Shared.MUTEX.LDR" in order to verify if another copy of the trojan is running in the affected computer.

The trojan drops and loads two DLL components which replaces the file DESKTOP.INI and creates NTUSER.DAT in the following folder:

  • %USERPROFILE%\Application Data\

The component file, DESKTOP.INI, is used for encrypting the communication with the C&C server, while NTUSER.DAT is used for compressing the information sent to the C&C server.
 
The trojan also creates the following registry entries in order to determine the identity of the affected computer:

In subkey: HKLM\SOFTWARE\Microsoft\Internet Explorer\LowRegistry
Sets value: "SavedLegacySettingsML"
With data: <generated user ID>

Payload

Steals sensitive information

Trojan:Win32/Nedsym.G also collects user name and password credentials from visited websites, and those saved by the browser. It retrieves this information from the following registry key:

  • HKCU\Software\Microsoft\Internet Explorer\IntelliForms\Storage2   

The trojan has been observed stealing user names and passwords from specified applications, for example:

  • Internet Explorer
  • Mozilla Firefox
  • The Bat! email application

Contacts remote hosts & distributes spam

Trojan:Win32/Nedsym.G retrieves configuration data about its spam details, templates and SMTP servers from its C&C server.

It generates a random domain name based on date and time. It appends the following to the domain name in order to send and access information to and from its C&C server.

  • /stat1.php
  • /stat2.php
  • /logacc.php
  • /error.php?
  • /u.php?
  • /smtps.php

Analysis by Zarestel Ferrer


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Microsoft Firewall 2.9"
    With data: "%USERPROFILE%\Application Data\FW-<random nine digit number>.exe /s"


Prevention


Alert level: Severe
First detected by definition: 1.97.1334.0
Latest detected by definition: 1.175.2096.0 and higher
First detected on: Feb 09, 2011
This entry was first published on: Feb 09, 2011
This entry was updated on: May 09, 2011

This threat is also detected as:
  • Dropper/Malware.104448.BI (AhnLab)
  • W32/MalwareF.XUGG (Command)
  • W32/Crypt.AUQM (Norman)
  • Trojan.Kryptik!qe91GsXtiqs (VirusBuster)
  • Trojan horse Dropper.Generic3.QPG (other)
  • TR/Extats.A.8 (Avira)
  • Trojan.Generic.KDV.127916 (BitDefender)
  • Win32/Tnega.WCI (CA)
  • Trojan.DownLoader2.2932 (Dr.Web)
  • Backdoor.Win32.CVVStealer (Ikarus)
  • Trojan-Dropper.Win32.Pakes.dh (Kaspersky)
  • PWS-Zbot.gen.cy (McAfee)
  • TSPY_ZBOT.SMHA (Trend Micro)