Troj/Nopride-A is a backdoor Trojan for the Windows platform.
When first run Troj/Nopride-A copies itself to:
<Desktop>\<username> log.exe
<User>\My Documents\<username>.exe
<Favorites>\dfinstall.exe
<Startup>\AdobeGammaLog.exe
\ego.exe
<Windows folder>\Services.exe
<Windows folder>\system32.exe
and creates the file <CurrentFolder>\ego.txt. This is a text file, and may safely be deleted.
Troj/Nopride-A also overwrites the following files, affecting system startup:
\autoexec.bat
\boot.ini
<Windows folder>\desktop.ini
The following registry entries are created to run Troj/Nopride-A on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
EGO31/08/2053
<Favorites>\dfinstall.exe
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<Windows folder>\Services.exe
StubPath
<pathname of the Trojan executable>
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<Windows folder>\system32.exe
StubPath
<pathname of the Trojan executable>
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\<Windows system folder>\Svchost.exe
StubPath
<pathname of the Trojan executable>
HKLM\SOFTWARE\Microsoft\Active Setup\Installed
Components\(F146C9B1-VMVQ-A9RC-NUFL-D0BA00B4E999)
StubPath
<Windows folder>\System32.exe
Troj/Nopride-A changes settings for Microsoft Internet Explorer, including the Start Page, by modifying values under:
HKCU\Software\Microsoft\Internet Explorer\Main\
HKCU\Software\Microsoft\Internet Explorer\Main\Start Page
The following registry entry is set, disabling the registry editor (regedit):
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1
Registry entries are set as follows:
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoRun
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDesktop
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoClose
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoFolderOptions
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispSettingsPage
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispBackgroundPage
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispScrSavPage
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispAppearancePage
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
NoDispCpl
1
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
RegisteredOrganization
You See Bee Corporation
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOrganization
You See Bee Corporation
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion
RegisteredOwner
Black_Plankton
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion
RegisteredOwner
Black_Plankton
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Hidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt
1
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden
0
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoDriveTypeAutoRun
1
Troj/Nopride-A may attempt to terminate processes with the following names:
avgemc.exe
avgupsvc.exe
avgamsvr.exe
avgcc.exe