Aliases: Trojan-Downloader.Win32.Small.wen
Variants: W32/Niya-D, W32/Niya-C

Classification: Malware
Category: Computer Virus

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 22 Sep 2004
Damage: Low

Characteristics: W32.Niya is a virus that attacks all “.exe” files whose file paths do not contain “system3.” The only difference is that it infects only machines with Windows XP Operating System. Reports say that there are a lot of bugs through which its routine infection will not always be successful. This was intended to damage windows platform. It can also access the Internet and communicate with a remote server via HTTP. This has been known to steal private or confidential files or data from the compromised computer.

More details about W32.Niya

Confidential email messages and or usernames and passwords can also be sold in the Internet. This information may lead to the hands of the black market. Like many other worms, it also copies itself to removable media by adding the following files to windows system directory folders: “cftmon.exe,” spools.exe,” ftp34.dll” and ftp34.dll. Reports also show that the virus may also generate a system thread to display CMOS and hard disks. A "ZwCreateFile" file will also be present in your computer if the infection is already present. Once executed, the worm will spread and start its routine. There are still bug codes and the virus may fail to infect. It is said that a marker for the infection will be added into the file. This will either infect the file or corrupt it once executed.

Reports claim that the W32.Niya program usually launches a concealed Internet Explorer (IE) window to allow it to listen using an opened port for the hacker’s remote commands. The same opened port is also used by the user to control the affected computer. The application provides the hacker with network and system information such as cached network passwords and login names. It also installs an FTP server that enables the intruder to make the infected computer as a storage device.