We recently came across an interesting threat that we detect as TrojanDownloader:Win32/Nemim.gen!A.
This particular malware is a trojan downloader, and is capable of deleting its downloaded component files in a way that makes them essentially unrecoverable. This prevents the files from being isolated and analysed. Thus, during analysis of the downloader, we may not easily find any downloaded component files on the system; even when using file recovery tools, we may see somewhat suspicious deleted file names but we may be unable to recover the correct content of the file.
Most URLs that this trojan attempts to connect to for downloading are currently unavailable, but we got lucky and were able to find some of its components to investigate further.
Below are the component files that we found that this malware downloads and executes, the ones that will eventually be deleted by the malware itself:
- Virus:Win32/Nemim.gen!A – This is a file infector that attempts to infect executable files in removable drives. Infected files are detected, and subsequently cured, as Virus:Win32/Nemim.A. It appends its code to the Host file but it will not infect other files, rather it will only drop and execute the malware TrojanDownloader:Win32/Nemim.gen!A.
- PWS:Win32/Nemim.A – This malware is a password stealer that attempts to steal account credentials from the following:
- Email accounts (SMTP, POP3, HTTP mail, IMAP) that was setup in the system
- Windows Messenger/Live Messenger
- Gmail Notifier
- Google Desktop
- Google Talk
As you may know, most downloaders are just a medium to deliver the main malware after which they will not be needed on the system anymore, but this downloader is a bit different in the way that it is the medium and also the main component.
Sometimes, when we don’t have any evidence of what an individual downloads, we cannot be sure what the result of infection will be. Occasionally we can’t replicate the downloader if the URLs are unavailable, so it can be difficult to know how to mitigate the threat. In the case of this downloader, however, we’ve observed it downloading a password stealer. As such, if you’re infected with TrojanDownloader:Win32/Nemim.gen!A, we recommend you change all account passwords after you’ve cleaned your system, as it’s likely you’ve also encountered PWS:Win32/Nemim.A.
We also recommend, as always, to keep your security products updated with the latest definitions to avoid infection. A complete antivirus solution such as Microsoft Security Essentials detects and removes all the threats mentioned in this blog.
Jonathan San Jose
MMPC Melbourne