Worm/Nugache.1 - Worm

See also

Summary

Full description

Statistics

Virus:	Worm/Nugache.1
Date discovered:	02/05/2006
Type:	Worm
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	High
Damage Potential:	Medium
Static file:	Yes
File size:	177.152 Bytes
MD5 checksum:	74600E5bc19538a3b6a0b4086f4e0053
VDF version:	6.34.01.27

Important information • The write up for this analysis is currently in progress. Please check again later for more details.

General Methods of propagation:
   • Email
   • Local network
   • Messenger

Aliases:
   • Symantec: W32.Nugache.A@mm
   • Mcafee: W32/Nugache@MM
   • Kaspersky: Email-Worm.Win32.Nugache.a
   • TrendMicro: WORM_NUGACHE.A
   • Bitdefender: Backdoor.SDBot.BCE

Platforms / OS:
   • Windows 95
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Uses its own Email engine
   • Records keystrokes
   • Registry modification
   • Makes use of software vulnerability
   • Steals information
   • Third party control

Files It copies itself to the following location:
• %SYSDIR%\mstc.exe

The following file is created:

– %home%\Application Data\FNTCACHE.BIN This file contains collected keystrokes.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • Microsoft Domain Controller = %SYSDIR%\mstc.exe

The following registry keys are added:

– [HKCU\Software\GNU\Data\%IP address%]
   • S = %hex number%
   • F = %hex number%
   • P = %hex number%
   • L = %hex values%

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

To:
– Email addresses gathered from WAB (Windows Address Book)

Mailing Avoid addresses:
It does not send emails to addresses containing one of the following strings:
• bmaste; ccoun; secur; spam; uppor; inux; buse; .gov; .mil; dmin;
ource; upda; indow; icrosof; gnu; bug; wab; Unknown

Messenger It is spreading via Messenger. The characteristics are described below:

– AIM Messenger

Network Infection Exploit:
It makes use of the following Exploits:
– MS04-007 (ASN.1 Vulnerability)
– MS04-011 (LSASS Vulnerability)

Backdoor The following port is opened:

– mtsc.exe on TCP port 8 in order to provide backdoor capabilities.

Contact server:
All of the following:
   • 24.217.137.**********:8
   • 68.110.80.**********:8
   • 65.30.81.**********:8
   • 72.129.129.**********:8
   • 68.198.41.**********:8
   • 64.13.113.**********:8
   • 69.113.158.**********:8
   • 69.141.98.**********:8
   • 67.177.114.**********:8
   • 24.165.115.**********:8
   • 71.224.113.**********:8
   • 69.234.207.**********:8
   • 69.165.59.**********:8
   • 24.58.101.**********:8
   • 65.189.204.**********:8
   • 24.206.248.**********:8
   • 216.174.161.**********:8
   • 69.133.103.**********:8
   • 67.149.59.**********:8
   • 68.118.224.**********:8
   • 68.46.202.**********:8
   • 70.132.132.**********:8
   • 69.113.3.**********:8
   • 128.211.221.**********:8

Once connected it will retrieve an additional list of servers.
As a result it may send information and remote control could be provided.

Sends information about:
    • Created logfiles

Remote control capabilities:
    • Connect to an IRC server to provide additional remote control.
    • Download file
    • Perform DDoS attack
    • Send emails
    • Spam related
    • Upload file
    • Visit a website

Miscellaneous Mutex:
It creates the following Mutex:
• d3kb5sujs50lq2mr

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

See a brief description here.

Description inserted by Andrei Gherman on Tue, 02 May 2006 09:43 (GMT+1)
Description updated by Andrei Gherman on Tue, 09 May 2006 16:39 (GMT+1)

» About Malware
» About Phishing
» Viruses In the Wild

« back