Trojan-Downloader.JS.Agent.nwg

by alexander.adamov on May 7th, 2012 in Malware Descriptions.

Platform: Win32
Type: Trojan
Size: 15204
Language: JavaScript

Summary

The Trojan downloads other malicious programs. Trojan-Downloader.JS.Agent.nwg is JavaScript Trojan and it may be embedded in the HTML code.

Technical Details

Payload

If the Trojan opens an infected web-page in the MS Internet Explorer, it decrypts its obfuscated body using Java Script and downloads a file from the following URL using the ActiveX object "Microsoft.XMLHTTP"

http://91.***.162.99/sd.exe

The URL did not respond when the description was created.

Using the ActiveX object "ADODB.Stream", the Trojan then saves the downloaded file to the current user’s Windows folder "AppData" with the following name:

%AppData%\NKiKuC9Sb.exe

After saving, the Trojan launches the downloaded file and stops running.

Removal Recommendations

  1. Delete the original Trojan file (its file name and location depends on the way the Trojan originally penetrated a user’s computer).
  2. Delete the following file:
  3. %AppData%\NKiKuC9Sb.exe

  4. Clean the Temporary Internet Files folder, which contains infected files (How to clean Temporary Internet Files folder).
  5. Run a full scan of your computer using the Antivirus program with the updated definition database (Download Ad-Aware Free).