Home / malware Ransom:Win32/Nymaim.A
First posted on 25 March 2019.
Source: MicrosoftAliases :
Ransom:Win32/Nymaim.A is also known as Trojan-Ransom.Win32.Blocker.tmu, Backdoor.Graybird.
Explanation :
This threat is a malicious program that is unable to spread of its own accord. It may perform a number of actions of an attacker's choice on an affected computer. Installation It creates the following files on an affected computer:
%windir%
zkbthh.uxo %windir%ofvr.pnb c:documents and settingsadministratorapplication datadata.cff The malware utilizes code injection in order to hinder detection and removal. When the threat runs, it may inject code into running processes, including the following, for example:
alg.exe csrss.exe explorer.exe reader_sl.exe spoolsv.exe svchost.exe winlogon.exe wmiprvse.exe wscntfy.exe wuauclt.exe Payload Contacts remote host It may contact a remote host at svictrorymedia.ru using port 80. Commonly, malware may contact a remote host for the following purposes: To report a new infection to its author To receive configuration or other data To download and execute arbitrary files (including updates or additional malware) To receive instruction from a remote attacker To upload data taken from the affected computer
This malware description was produced and published using our automated analysis system's examination of file SHA1 45e0646cd7ee88c0590d010da75a811d0b9682b5.Last update 25 March 2019
