BAT/Agent.NEM [Threat Name] go to Threat
BAT/Agent.NEM [Threat Variant Name]
| Category | trojan,worm |
| Size | 470519 B |
| Detection created | Oct 16, 2009 |
| Detection database version | 4515 |
| Aliases | Worm.BAT.Agent.dd (Kaspersky) |
| Ransom.TeslaCrypt (Symantec) |
Short description
BAT/Agent.NEM is a worm which tries to download other malware from the Internet. The worm may create copies of itself on removable drives.
Installation
When executed, the worm copies itself in some of the the following locations:
- %installfolder%\ServiceUserUpdate.exe
- %installfolder%\UserDriveUpdate.exe
The %installfolder% is one of the following strings:
- %windir%\ServiceProfiles\User
- %appdata%\Microsoft\ServiceProfiles\User
In order to be executed on every system start, the worm sets the following Registry entry:
- [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
- "UserDriveUpdate" = "%windir%\system32\cmd.exe /c start /b %malwarefilepath%"
The worm schedules a task that causes the following file to be executed repeatedly:
- %installfolder%\ServiceUserUpdate.exe
- %installfolder%\UserDriveUpdate.exe
Information stealing
The worm collects various information related to the operating system.
The worm collects the following information:
- information about the operating system and system settings
- computer name
- volume serial number
- information about the infected computer
The worm attempts to send gathered information to a remote machine. The HTTP protocol is used in the communication.
Spreading on removable media
The worm searches for files and folders on removable drives.
The worm may create the following folders:
- %removabledrive%\.Trash-1000\info
- %removabledrive%\.Trash-1000\files
The worm attempts to replace the following files with a copy of itself:
- %removabledrive%\*.exe
- %removabledrive%\disk.inf
- %removabledrive%\ntuser.ini
- %removabledrive%\.Trash-1000\info\disk.trashinfo
The worm creates the following files:
- %removabledrive%\System Volume Information.lnk
The file is a shortcut to a malicious file.
The worm searches removable drives for files with the following file extensions:
- .doc
- .txt
- .jpg
- .rar
- .wav
- .lnk
When the worm finds a file matching the search criteria, it overwrites its content.
The extension of the files is changed to:
- .lnk
The file is a shortcut to a malicious file.
The worm creates copies of the following files (source, destination):
- %foundfile%, %removabledrive%\.Trash-1000\files\FILE%randomnumber%.%foundfileextension%
A string with variable content is used instead of %randomnumber% .
The worm hides an original file and creates malicious shortcut link.
Other information
The worm contains a URL address.
It tries to download a file from the address.
The file is stored into the following folder:
- %currentfolder%
The following filename is used:
- Micro.exe
- Excel.exe
The file is then executed.
The worm may display a dialog box with the title:
- Exception 0xc0000005 EXCEPTION_ACCESS_VIOLATION
The dialog box contains the following text:
- Ошибка при инициализации приложения (0xc0000005). Повторить попытку открытия файла?