Detect Date 06/03/2016
Class Trojan
Platform Win32

The earliest versions of malware in this family were loaders. They downloaded country-specific programs, intended to block computer use, onto the victim computer. Other versions of Trojan.Win32.Nymaim malware were found later.

The newer variants incorporate Gozi, a Trojan used to steal online banking information from user computers.

Features of this malware family include:

  • Strong obfuscation of malicious code
  • RC4 traffic encryption with garbage data added for masking purposes
  • DNS spoofing
  • [some variants] Domain Generation Algorithm (DGA) use for hiding the IP address of the cyberattacker’s server

Geographical distribution of attacks by the Trojan.Win32.Nymaim family

Geographical distribution of attacks during the period from 03 June 2015 to 03 June 2016

Top 10 countries with most attacked users (% of total attacks)

Country % of users attacked worldwide*
1 Germany 97.38
2 USA 0.46
3 Poland 0.35
4 Austria 0.26
5 China 0.21
6 Switzerland 0.21
7 France 0.12
8 Italy 0.10
9 United Kingdom 0.10
10 Netherlands 0.08

* Percentage among all unique Kaspersky users worldwide who were attacked by this malware

Find out the statistics of the threats spreading in your region