Threat Descriptions

Nilage.AUT

Classification

Category :

Malware

Type :

Trojan

Platform :

W32

Aliases :

Trojan-PSW.Win32.Nilage.aut, Trj/Lineage.BLQ, TSPY_NILAGE.AUT

Summary

Nilage.AUT, a variant of Nilage, is a Trojan. Nilage.AUT drops and loads a password stealing component on an infected system and steals sensitive information from an infected computer. Nilage.AUT attempts to download and install other malware to the system.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Once Nilage.AUT has been executed it will drop the following file:

  • %windir%\winpsfisle.dll

It will register its DLL component as a Browser Helper Object (BHO) so that every time Internet Explorer is loaded, Nilage.AUT is also loaded:

  • HKLM\SOFTWARE\Classes\CLSID\{267709FD-A691-43B0-BF38-0DF6887A9B44}\InProcServer32@ = "%windir%\winpsfisle.dll"

Everytime the DLL component is executed, it will drop and execute its .EXE component in the following path and filename:

  • %sysdir%\ExesFisle.exe

Payload

The main payload of Nilage.AUT is to steal information regarding Online games such as Lineage and Maple Story. Both are popular in Korea.

Nilage.AUT includes keylogging functionality.

Nilage.AUT steals information with regards to the following details:

Class Names

  • Internet Explorer_Server
  • Lineage
  • Lineage Windows Client
  • MapleStory
  • MapleStoryClass

Running Process Names

  • Angel.dat
  • Game.exe
  • IEXPLORE.EXE
  • Lineage
  • Lineage.exe
  • MapleStory.exe
  • NineDragons.EXE

Visited URL:

  • http://club.pchome.com.tw/
  • http://tw.gamania.com
  • http://tw.gamania.com/
  • http://tw.gamania.com/GHOME/Home_Center.ASP
  • http://tw.gamania.com/default.asp?user_locate=
  • http://tw.gashcard.gamania.com
  • http://tw.gashcard.gamania.com/
  • http://tw.gashcard.gamania.com/index.asp
  • http://tw.gashcard.gamania.com/space.htm
  • http://tw.login.yahoo.com/cgi-bin/login.cgi?srv=club
  • http://www.gamebase.com.tw/memberLogin.html
  • https://tw.gash.gamania.com
  • https://tw.gash.gamania.com/
  • https://tw.gash.gamania.com/Blank.aspx
  • https://tw.gash.gamania.com/GASHLogin.aspx
  • https://tw.gash.gamania.com/UpdateServiceAccountPassword.aspx?ServiceCode=600035
  • https://tw.goodlock.gamania.com
  • https://tw.goodlock.gamania.com/
  • https://tw.goodlock.gamania.com/GamaGoodLock.aspx
  • https://tw.goodlock.gamania.com/Index.aspx
  • https://tw.goodlock.gamania.com/ShowNew.aspx
  • https://tw.goodlock.gamania.com/index.aspx
  • https://user.gamer.com.tw/login.php

The gathered information including username and passwords are stored in this hard coded path and filename:

  • c:\6in1game.txt

Gathered information is sent to the hacker by posting the file to the following links:

  • http://www.y8ne.com/mail/upfilets.asp
  • http://www.y8ne.com/mail/upfile.asp

It also gathers data from these links for it malicious acts:

  • http://www.xxxxx.com/xiaozi/sendmailqimo.asp?tomail=163@163.com&mailbody=
  • http://www.y8ne.com/mail/1114.do?id=ad001&mailbody=

Asside from being a password stealer, Nilage.AUT is also a downloader. It downloads and executes other malware from the following link:

  • http://www.hackrmb.com/6an[REMOVED].exe

And saves the download to the following path name filename:

  • %windir%\java\classes\spoolsys.exe

To ensure that an error will not occur, it will delete the existing file before downloading the new file.

Note: As of this writing the link above is no longer available.

Nilage.AUT does not fully support all operating system:

  • Windows 2000 - Fully executes
  • Windows 9x - Executes, but with some errors
  • Windows XP - Does not execute properly

Nilage.AUT is coded using Borland Delphi.