Troj/Nyrubot-A is a backdoor Trojan. When run the Trojan copies itself to msgsrv32.exe in the Windows folder and ensure that the copy is run each time Windows starts by adding the following registry entry:
= <Windows folder>\msgsrv32.exe.
Troj/Nyrubot-A also sets the following registry entries :
HKCU\Software\Microsoft\Windows\CurrentVersion\from = firstname.lastname@example.org
HKCU\Software\Microsoft\Windows\CurrentVersion\rcpt = email@example.com
HKCU\Software\Microsoft\Windows\CurrentVersion\smtp = data2.centrum.cz
HKCU\Software\Microsoft\Windows\CurrentVersion\tuin = 272324532
HKCU\Software\Microsoft\Windows\CurrentVersion\time_last_msg = <number>
The Trojan allows a remote attacker to control an affected computer via IRC.
One method by which this Trojan is distributed is as follows. An email in HTML format is sent. The email attempts to link to a remote website and run a script downloaded from the website. The script creates and runs the file C:\baal.exe. Baal.exe downloads an runs the Trojan from a second website. Troj/Nyrubot-A deletes C:\baal.exe.
Meet the drop-resistant Moto Z2 Force
The Moto Z2 Force is really thin, with a fast processor and great battery life. It can survive drops without shattering.