Da qui :
Trojan.Naid is a Trojan horse that opens a back door on the compromised computer.
When the Trojan is executed, it creates the following files:
%UserProfile%\AppMgmt.dll %Windir%\Temp\uid.ax
The Trojan creates the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Start" = "2"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\Parameters\"ServiceDll"
= "%UserProfile%\AppMgmt.dll" HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"Type" = "272"
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\AppMgmt\"FailureActions"
= "[BINARY DATA]"
The Trojan may create one of the following services so that it runs
every time Windows starts:
AppMgmt BITS
The Trojan collects the following system information from the
compromised computer:
domain name unique identifier (UID)
The Trojan utilises its own custom communications protocol to connect
to the following IP address over port 443:
219.90.117.132
The Trojan then opens a back door on the compromised computer.
Quindi dovresti ispezionare almeno percorsi, chiavi e servizi menzionati.
Ma il trojan potrebbe essere modificato, quindi consiglierei anche di ispezionare le connessioni di rete usando netstat o Process Monitor e altri strumenti da Sysinternals Suite .