HOME > VIRUS ALERTS


VIRUS ALERTS

Trojan Nilage

Original issue date: October 17, 2008

It has been observed that a Trojan named Nilage is spreading in the wild. It arrives as a PE EXE file which is 52 925 bytes in size and is packed using FSG.

After successful infection, the Trojan sends the notification of infection to the attacker through email. The Trojan harvests username and password related to "Lineage Windows Client" and collects this information in a text file. The Trojan periodically updates this text file and sends the updated file to the attacker.

Aliases:

Trojan-PSW.Win32.Lineage.a (Kaspersky Lab), Trojan Horse (Symantec), Trojan.PWS.Lineage (Doctor Web), TROJ_LINEAGE.A (Trend Micro), Trojan.Lmir-48 (ClamAV), Trojan Horse (Panda)

Upon execution some of the variants:

  • Copies itself to the following directory:
    %Program Files%\rundll32.exe

  • Extracts the following .dll file from its body:
    %System%\ct1dll.dll. - this file is 42 496 bytes in size

  • Ensure that the Trojan is launched automatically each time the system is booted, the Trojan adds a link to its executable file in the system registry:

    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
    "loadMect1" = "<path to Trojan executable file> "

  • Terminates the following processes:

    • KVMONXP.KXP
    • KVXP.KXP
    • EGHOST.EXE
    • MAILMON.EXE
    • KAVPFW.EXE
    • IPARMOR.EXE
    • RavMon.exe
    • PasswordGuard.exe

In view of rapid propagation of the Nilage Trojan, users are advised to implement the following countermeasures:

Search for the malicious files and processes created/initiated by the Trojan and delete the same.

  • Search for the registry entries mentioned above made by the Trojan and delete the same.
  • Keep up-to-date patches and fixes on the operating system and application software.
  • Keep up-to-date Antivirus and Antispyware signatures.

References

http://www.f-secure.com/v-descs/trojan-psw_w32_nilage_
afz.shtml#additional
http://www.viruslist.com/en/viruses/encyclopedia?virusid=61056
http://research.sunbelt-software.com/threatdisplay.aspx?
name=Trojan-PSW.Win32.Nilage.bcw&threatid=133230

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003