Troj/Nebuler-K

By Sophos:

Troj/Nebuler-K is a Trojan for the Windows platform.

Troj/Nebuler-K gathers details relating to dialup services and sends collected information to a remote site via HTTP. The Trojan may inject code into other processes in an attempt to remain hidden.

When Troj/Nebuler-K is installed the following files are created:

\win32.dll

Where are random letters.

The following registry entries are created to run code exported by win32.dll on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
DllName
win32.dll

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
Impersonate
0

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\win32
Startup
EvtStartup

Registry entries are created under:

HKCR\MezziaCodec.Chl\CLSID\
HKLM\SOFTWARE\Microsoft\MSSMGR\

Sophos Anti-Virus protection is available since: 15 October 2006 14:16:45 (GMT)

tag: Sophos, Spyware, Windows, Troj/Nebuler-K, Trojan.Win32.Agent.vg, Trojan, BackDoor-CVT