Virus:Worm/Nuqel.Q
Date discovered:28/10/2009
Type:Worm
In the wild:Yes
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
Static file:Yes
File size:547.840 Bytes
MD5 checksum:eed78e80a40ff435a8be41ab53c13f84
IVDF version:7.01.06.161 - Wednesday, October 28, 2009

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/YahLover.worm.gen
   •  Sophos: Troj/Dloadr-BHO
   •  Panda: W32/Sohanat.FD
   •  Eset: Win32/AutoRun.FE
   •  Bitdefender: Trojan.AutoIt.TE


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Downloads malicious files
   • Drops malicious files
   • Registry modification

 Files It copies itself to the following locations:
   • %WINDIR%\hinhem.scr
   • %SYSDIR%\scvhost.exe
   • %WINDIR%\scvhost.exe
   • %drive%\scvhost.exe
   • %SYSDIR%\blastclnnn.exe



The following files are created:

%SYSDIR%\autorun.ini
%drive%\autorun.inf This is a non malicious text file with the following content:
   • %code that runs malware%




It tries to download some files:

– The locations are the following:
   • http://setting3.9999mb.com/**********
   • http://setting3.yeahost.com/**********


– The location is the following:
   • http://www.freewebs.com/setting3/**********


– The locations are the following:
   • http://setting3.yeahost.com/**********
   • http://setting3.9999mb.com/**********


– The location is the following:
   • http://www.freewebs.com/setting3/**********




It tries to executes the following files:

– Filename:
   • %SYSDIR%\cmd.exe /C AT /delete /yes


– Filename:
   • AT /delete /yes


– Filename:
   • %SYSDIR%\cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\blastclnnn.exe


– Filename:
   • AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su %SYSDIR%\blastclnnn.exe

 Registry The following registry key is added in order to run the process after reboot:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "Yahoo Messengger"="%SYSDIR%\scvhost.exe"



The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   New value:
   • "Shell"="Explorer.exe scvhost.exe"

– [HKLM\SYSTEM\CurrentControlSet\Services\Schedule]
   New value:
   • "AtTaskMaxHours"=dword:0x00000000

Various Explorer settings:

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System]
   New value:
   • "DisableRegistryTools"=dword:0x00000001
   • "DisableTaskMgr"=dword:0x00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer]
   New value:
   • "NofolderOptions"=dword:0x00000001

 Process termination The following process is terminated:
   • taskmgr.exe


 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Petre Galan on Thursday, April 1, 2010
Description updated by Andrei Ivanes on Thursday, April 1, 2010

Back . . . .