Home / malware TrojanSpy:Win32/Nivdort.W
First posted on 06 August 2014.
Source: MicrosoftAliases :
There are no other names known for TrojanSpy:Win32/Nivdort.W.
Explanation :
Threat behavior
Installation
TrojanSpy:Win32/Nivdort.W copies itself to the following locations:
The malware creates the following files on your PC:
- c:\documents and settings\administrator\application data\cheknwz\sgiymdjt.exe
- c:\documents and settings\administrator\application data\cheknwz\tfnqimo.exe
- c:\documents and settings\administrator\application data\cheknwz\sgiymdjt.bb6tn
Payload
Contacts remote hosts
TrojanSpy:Win32/Nivdort.W may contact the following remote hosts using port 80:
- answerfound.net
- answerspring.net
- degreebanker.net
- degreefound.net
- degreespring.net
- degreesuccess.net
- forwardbanker.net
- forwardfound.net
- forwardspring.net
- forwardsuccess.net
- glassfound.net
- returnbefore.net
- returndevice.net
- variousbefore.net
- variousdevice.net
Commonly, malware does this to:This malware description was produced and published using automated analysis of file SHA1 647cf9c5d01b426e82b52370d32a7b86b557463b.Symptoms
- Confirm Internet connectivity
- Report a new infection to its author
- Receive configuration or other data
- Download and run files, including updates or other malware
- Receive instructions from a remote hacker
- Upload data taken from your PC
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
c:\documents and settings\administrator\application data\cheknwz\sgiymdjt.bb6tn
c:\documents and settings\administrator\application data\cheknwz\sgiymdjt.exe
c:\documents and settings\administrator\application data\cheknwz\tfnqimo.exeLast update 06 August 2014
