Home / malware TrojanDownloader:Win32/Navattle.A
First posted on 04 January 2013.
Source: MicrosoftAliases :
TrojanDownloader:Win32/Navattle.A is also known as Trojan.Navattle!4D19 (Rising AV).
Explanation :
Installation
When run, TrojanDownloader:Win32/Navattle.A copies itself as the following file:
%Systemroot%\system32\nusb3mon.exe
It creates the following registry entry so that it automatically runs every time Windows starts:
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AhnLab V3Lite Update Process"
With data: "%Systemroot%\system32\nusb3mon.exe"
Payload
Downloads other files
TrojanDownloader:Win32/Navattle.A downloads and runs a file from a certain server. It checks which server to download files from by connecting to:
blogspot-china.l.google.com/<blocked>
At the time of this writing, the site is no longer available.
Deletes registry keys
TrojanDownloader:Win32/Navattle.A deletes the following registry key, related to the gaming service Battle.net, if it exists:
HKCU\Software\Blizzard Entertainment\Battle.net\Identity
If you are using this game service, you might experience problems with your account.
Analysis by Jim Wang
Last update 04 January 2013