Threat description




Trojan:W32/Nitol is used to deliver an embedded component file (separately detected as Generic.Malware.Fdld.93A4F545) that checks the affected machine to see if it is running a server-related operating system; if so, the component contacts a command and control server and provides functionality to remotely download and execute other malware on the machine.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

This malware may be distributed either as a file attached to a phishing e-mail message or may be downloaded onto a machine by other malware.

Preliminary checks

Once launched, the malware first runs a series of checks to see if the machine is suitable for infection. It first checks see if the machine has a virtual machine installed, which might indicate the machine is used for malware research; it also checks to see if a mutex with the name 'qazwsxedc' exists on the machine, which would indicate that it has already been infected with the same malware. Only if both checks pass does the malware go ahead and infect the system.

Once the checks are cleared, the malware drops a copy of itself (with the name 'system.pif') in the user's Startup folder, then creates a mutex with the name 'UACMut'. Next, it runs a component embedded in its code, which has the main payload.

Main payload

The embedded component is a UPX-compressed Portable Executable (PE) file (separately detected as Generic.Malware.Fdld.93A4F545). When this component is run, it first creates a mutex with the name 'qazwsxedc'. It then goes back to 'sleep' for another 30 minutes, an action most likely designed to avoid detection by emulators (used by anti-malware researchers when analyzing suspicious files).

When the embedded component becomes active again, it first gathers details of the infected machine (including operating system and processor information, computer name, language used and so on) and forwards these details to its remote command and control (C&C) server. The component includes functionality to download additional EXE files from the C&C server, which are saved to a %temp% folder; at the time of analysis however, the C&C server was not serving any files.

Next, the embedded component checks to see if the infected machine is running server-related operating systems, specifically Windows Server 2000, 2003 or 2008. If so, the component contacts its C&C server for further instructions. The component includes routines to allow a attacker to remotely download and execute additional malware on the affected machine.

Submit a Sample

Suspect a file or URL was wrongly detected? Send it to our Labs for further analysis

Submit a Sample

Scan & Clean Your PC

F-Secure Online Scanner will scan and clean your PC in just a few minutes for free

More Info