Threat behavior
Trojan:Win32/Netvat.A is a trojan component that downloads configuration data and executes other malware identified as
Trojan:Win32/Netvat.A!dll.
Installation
When run, Trojan:Win32/Netvat.A drops a copy of itself as the following:
The trojan also drops a component as the file "
%windir%\system32\svcnet32.dll", which is detected as
Trojan:Win32/Netvat.A!dll. The registry is modified to run the dropped malware component "
svcnet32.dll" as a service.
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Svchost
Sets value: "Avt-Net"
To data: "avt-net"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Avt-Net
Sets value: "ImagePath"
To data: "%SystemRoot%\system32\svchost -k Avt-Net"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Avt-Net\Parameters
Sets value: "ServiceDll"
with data: "%SystemRoot%\system32\svcnet32.dll"
Analysis by Marianne Mallen
Prevention