Trojan:W32/Nitol is used to deliver an embedded component file (separately detected as Generic.Malware.Fdld.93A4F545) that checks the affected machine to see if it is running a server-related operating system; if so, the component contacts a command and control server and provides functionality to remotely download and execute other malware on the machine.


Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This malware may be distributed either as a file attached to a phishing email message or may be downloaded onto a machine by other malware.

Preliminary checks

Once launched, the malware first runs a series of checks to see if the machine is suitable for infection. It first checks see if the machine has a virtual machine installed, which might indicate the machine is used for malware research; it also checks to see if a mutex with the name 'qazwsxedc' exists on the machine, which would indicate that it has already been infected with the same malware. Only if both checks pass does the malware go ahead and infect the system.

Once the checks are cleared, the malware drops a copy of itself (with the name 'system.pif') in the user's Startup folder, then creates a mutex with the name 'UACMut'. Next, it runs a component embedded in its code, which has the main payload.

Main payload

The embedded component is a UPX-compressed Portable Executable (PE) file (separately detected as Generic.Malware.Fdld.93A4F545). When this component is run, it first creates a mutex with the name 'qazwsxedc'. It then goes back to 'sleep' for another 30 minutes, an action most likely designed to avoid detection by emulators (used by anti-malware researchers when analyzing suspicious files).

When the embedded component becomes active again, it first gathers details of the infected machine (including operating system and processor information, computer name, language used and so on) and forwards these details to its remote command and control (C&C) server. The component includes functionality to download additional EXE files from the C&C server, which are saved to a %temp% folder; at the time of analysis however, the C&C server was not serving any files.

Next, the embedded component checks to see if the infected machine is running server-related operating systems, specifically Windows Server 2000, 2003 or 2008. If so, the component contacts its C&C server for further instructions. The component includes routines to allow a attacker to remotely download and execute additional malware on the affected machine.

Date Created: -

Date Last Modified: -