SecurityHome.eu TrojanDownloader:Win32/Navattle.A

Home / malware PDF

TrojanDownloader:Win32/Navattle.A

First posted on 04 January 2013.
Source: Microsoft
Aliases :
TrojanDownloader:Win32/Navattle.A is also known as Trojan.Navattle!4D19 (Rising AV).
Explanation :

Installation

When run, TrojanDownloader:Win32/Navattle.A copies itself as the following file:

%Systemroot%\system32\nusb3mon.exe

It creates the following registry entry so that it automatically runs every time Windows starts:

In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Sets value: "AhnLab V3Lite Update Process"
With data: "%Systemroot%\system32\nusb3mon.exe"

Payload

Downloads other files

TrojanDownloader:Win32/Navattle.A downloads and runs a file from a certain server. It checks which server to download files from by connecting to:

blogspot-china.l.google.com/<blocked>

At the time of this writing, the site is no longer available.

Deletes registry keys

TrojanDownloader:Win32/Navattle.A deletes the following registry key, related to the gaming service Battle.net, if it exists:

HKCU\Software\Blizzard Entertainment\Battle.net\Identity

If you are using this game service, you might experience problems with your account.

Analysis by Jim Wang

Last update 04 January 2013

TOP

Malware :

Last 20

TrojanDownloader:Win32/Navattle.A

Aliases :

Explanation :

Malware :

Family: