Trojan:W32/Nitol

Classification

Malware

Trojan

W32

Trojan:W32/Nitol.A

Summary

Trojan:W32/Nitol is used to deliver an embedded component file (separately detected as Generic.Malware.Fdld.93A4F545) that checks the affected machine to see if it is running a server-related operating system; if so, the component contacts a command and control server and provides functionality to remotely download and execute other malware on the machine.

Removal

Automatic action

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

Suspect a file is incorrectly detected (a False Positive)?

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note You need administrative rights to change the settings.

Find out more

Knowledge Base

Find the latest advice in our Community Knowledge Base.

User Guide

See the user guide for your product on the Help Center.

Contact Support

Chat with or call an expert for help.

Submit a sample

Submit a file or URL for further analysis.

Technical Details

This malware may be distributed either as a file attached to a phishing email message or may be downloaded onto a machine by other malware.

Preliminary checks

Once launched, the malware first runs a series of checks to see if the machine is suitable for infection. It first checks see if the machine has a virtual machine installed, which might indicate the machine is used for malware research; it also checks to see if a mutex with the name 'qazwsxedc' exists on the machine, which would indicate that it has already been infected with the same malware. Only if both checks pass does the malware go ahead and infect the system.

Once the checks are cleared, the malware drops a copy of itself (with the name 'system.pif') in the user's Startup folder, then creates a mutex with the name 'UACMut'. Next, it runs a component embedded in its code, which has the main payload.

Main payload

The embedded component is a UPX-compressed Portable Executable (PE) file (separately detected as Generic.Malware.Fdld.93A4F545). When this component is run, it first creates a mutex with the name 'qazwsxedc'. It then goes back to 'sleep' for another 30 minutes, an action most likely designed to avoid detection by emulators (used by anti-malware researchers when analyzing suspicious files).

When the embedded component becomes active again, it first gathers details of the infected machine (including operating system and processor information, computer name, language used and so on) and forwards these details to its remote command and control (C&C) server. The component includes functionality to download additional EXE files from the C&C server, which are saved to a %temp% folder; at the time of analysis however, the C&C server was not serving any files.

Next, the embedded component checks to see if the infected machine is running server-related operating systems, specifically Windows Server 2000, 2003 or 2008. If so, the component contacts its C&C server for further instructions. The component includes routines to allow a attacker to remotely download and execute additional malware on the affected machine.