Encyclopedia entry
Updated: Apr 17, 2011 | Published: Dec 19, 2008
Aliases
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
Updated: Apr 17, 2011 | Published: Dec 19, 2008
Aliases
-
Win32/Armax.I (CA)
- Mal/Airworm-A (Sophos)
- Trojan.Win32.Autoit.eg (Kaspersky)
- W32/Yahlover.worm.gen.c (McAfee)
- W32.Imaut (Symantec)
Alert Level (?)
Severe
Antimalware protection details
Microsoft recommends that you download the latest definitions to get protected.
| Detection last updated: Definition: 1.121.1275.0 Released: Mar 10, 2012 | Detection initially created: Definition: 1.49.787.0 Released: Dec 19, 2008 |
Summary
Worm:Win32/Nuqel.Z is a worm that spreads via removable and shared drives. It terminates processes, modifies system settings, and may send out messages via Yahoo! Messenger.
Symptoms
System Changes
The following system changes may indicate the presence of this malware:
- The presence of the following files:
<system folder>/regsvr.exe
<system folder>/svchost .exe
%windir%/regsvr.exe
New Folder.exe (with a folder icon) - The presence of the following registry modifications:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
"Shell" = "explorer.exe regsvr.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
"Msn Messsenger" = "<system folder>\regsvr.exe"
Technical Information (Analysis)
Worm:Win32/Nuqel.Z is a worm that spreads via removable and shared drives. It terminates processes, modifies system settings, and may send out messages via Yahoo! Messenger.
Installation
Upon execution, Worm:Win32/Nuqel.Z drops the following copies of itself with the read-only, system, and hidden file attributes:
- <system folder>/regsvr.exe
- <system folder>/svchost .exe
- %windir%/regsvr.exe
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Note also that a legitimate Windows file named svchost.exe (no space before the extension) also exists in the Windows system folder.
It modifies the system registry so that it runs every time Windows starts:
Modifies value: "Shell"
With data: "explorer.exe regsvr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Msn Messsenger"
With data: "<system folder>\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It also drops the file setup.ini in the Windows system folder. This file is an autorun file, which enables the worm to run every time a folder is automatically opened (for example, when a user inserts a removable disk or a CD).
Worm:Win32/Nuqel.Z also schedules itself to run at 09:00 every week day by creating a scheduled task using the AT command.
It modifies the system registry so that it runs every time Windows starts:
Modifies value: "Shell"
With data: "explorer.exe regsvr.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Msn Messsenger"
With data: "<system folder>\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
It also drops the file setup.ini in the Windows system folder. This file is an autorun file, which enables the worm to run every time a folder is automatically opened (for example, when a user inserts a removable disk or a CD).
Worm:Win32/Nuqel.Z also schedules itself to run at 09:00 every week day by creating a scheduled task using the AT command.
Spreads Via...
Shared Drives
Worm:Win32/Nuqel.Z enumerates shared drives by checking the values within the following registry subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
It then copies itself in the root of the found shared drives as the file New Folder.exe. It also copies its dropped setup.ini file as autorun.inf, setting its attributes to read-only, system, and hidden.
Removable Drives
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
It then copies itself in the root of the found shared drives as the file New Folder.exe. It also copies its dropped setup.ini file as autorun.inf, setting its attributes to read-only, system, and hidden.
Removable Drives
Worm:Win32/Nuqel.Z copies itself in the root of shared drives as the file regsvr.exe or New Folder.exe. It also copies its dropped setup.ini file asautorun.inf, setting its attributes to read-only, system, and hidden.
Payload
Modifies System Settings
Win32/Nuqel.Z modifies the following system settings to further avoid detection:
- Disables folder options of file explorer (for example so a user cannot change the options to view hidden files and folders):
Adds value: "NofolderOptions"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
- Ensures that a user can't view and stop processes using a task manager:
Adds value: "DisableTaskMgr"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- Removes the limit on how long are scheduled tasks are active when set by the AT command of the Shedule service:
Adds value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- Modifies the following registry so that the file New Folder.exe appears as a shared folder:
Adds value: "shared"
With data: "\new folder.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
This last registry modification allows the New Folder.exe file to have a folder icon, which can potentially trick a user into double-clicking (and thus executing) the worm copy.
Downloads Arbitrary Files/Updates
The worm is set to check the following domains for file setting.doc:
- http://yahoo.com/setting.doc
- http://www.yahoo.com/setting.doc
Previous versions of Worm:Win32/Nuqel point to malicious URLS and not a valid domain as above, which may suggests that this worm is still in development stages.
However, if found, it saves the file to the Windows system folder as setting.ini. It then attempts to retrieve a number of files from a URL specified insetting.ini. Once downloaded the files are dropped to the Windows system folder and executed.
Sends Messages
Win32/Nuqel.Z attempts to send a URL and a message sourced from setting.ini using Yahoo! Messenger. The message is randomly chosen as one of the following:
"cyber cafe scandal visit ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"World Business news broadcaster ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Regular monthly income by wearing your shorts at the comfort of your home for more info ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Nfs carbon download ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Latest video shot of infosys girl ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"stream Video of Nayanthara and Simbu ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Aishwarya Rai videos ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Free mobile games ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
"Nse going to crash for more ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk <link>"
where <link> varies depending on the contents of settings.ini.
Terminates Processes
Worm:Win32/Nuqel.Z looks for open windows with the following titles and attempts to close them:
- "System Configuration"
- "Registry"
- "Windows mask"
It also attempts to terminate the following process if found running in the system:
- game_y.exe
Modifies Security Settings
Nuqel.Z attempts to remove registry autostart entries for the following security programs:
- "Bkav2006"
- "[FireLion]"
Analysis by Jireh Sanico
Žádné komentáře:
Okomentovat