Virus:Worm/Nugache.1
Date discovered:02/05/2006
Type:Worm
In the wild:Yes
Reported Infections:Low to medium
Distribution Potential:High
Damage Potential:Medium
Static file:Yes
File size:177.152 Bytes
MD5 checksum:74600E5bc19538a3b6a0b4086f4e0053
VDF version:6.34.01.27

 Important information • The write up for this analysis is currently in progress. Please check again later for more details.
 General Methods of propagation:
   • Email
   • Local network
   • Messenger


Aliases:
   •  Symantec: W32.Nugache.A@mm
   •  Mcafee: W32/Nugache@MM
   •  Kaspersky: Email-Worm.Win32.Nugache.a
   •  TrendMicro: WORM_NUGACHE.A
   •  Bitdefender: Backdoor.SDBot.BCE


Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control


 Files It copies itself to the following location:
   • %SYSDIR%\mstc.exe



The following file is created:

– %APPDATA%\FNTCACHE.BIN This file contains collected keystrokes.

 Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Microsoft Domain Controller = %SYSDIR%\mstc.exe



The following registry keys are added:

– [HKCU\Software\GNU\Data\%IP address%]
   • S = %hex number%
   • F = %hex number%
   • P = %hex number%
   • L = %hex values%

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


To:
– Email addresses gathered from WAB (Windows Address Book)

 Mailing Avoid addresses:
It does not send emails to addresses containing one of the following strings:
   • bmaste; ccoun; secur; spam; uppor; inux; buse; .gov; .mil; dmin;
      ource; upda; indow; icrosof; gnu; bug; wab; Unknown

 Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

 Network Infection Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)

 Backdoor The following port is opened:

– mtsc.exe on TCP port 8 in order to provide backdoor capabilities.


Contact server:
All of the following:
   • 24.217.137.**********:8
   • 68.110.80.**********:8
   • 65.30.81.**********:8
   • 72.129.129.**********:8
   • 68.198.41.**********:8
   • 64.13.113.**********:8
   • 69.113.158.**********:8
   • 69.141.98.**********:8
   • 67.177.114.**********:8
   • 24.165.115.**********:8
   • 71.224.113.**********:8
   • 69.234.207.**********:8
   • 69.165.59.**********:8
   • 24.58.101.**********:8
   • 65.189.204.**********:8
   • 24.206.248.**********:8
   • 216.174.161.**********:8
   • 69.133.103.**********:8
   • 67.149.59.**********:8
   • 68.118.224.**********:8
   • 68.46.202.**********:8
   • 70.132.132.**********:8
   • 69.113.3.**********:8
   • 128.211.221.**********:8

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

Sends information about:
    • Created logfiles


Remote control capabilities:
    • Connect to an IRC server to provide additional remote control.
    • Download file
    • Perform DDoS attack
    • Send emails
    • Spam related
    • Upload file
    • Visit a website

 Miscellaneous Mutex:
It creates the following Mutex:
   • d3kb5sujs50lq2mr

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Andrei Gherman on Tuesday, May 2, 2006
Description updated by Andrei Gherman on Tuesday, May 9, 2006

Back . . . .