需要修復電腦?
聘請專家
Virus:Worm/Nuqel.BE.7
Date discovered:23/11/2011
Type:Worm
In the wild:No
Reported Infections:Low
Distribution Potential:Low to medium
Damage Potential:Medium
File size:721745 Bytes
MD5 checksum:759ca80274db9600865f98dd29ea7d5a
VDF version:7.11.18.17 - Wednesday, November 23, 2011
IVDF version:7.11.18.17 - Wednesday, November 23, 2011

 General Method of propagation:
   • Autorun feature


Aliases:
   •  Mcafee: W32/YahLover.worm.gen
   •  Kaspersky: Worm.Win32.AutoIt.dn
   •  Bitdefender: Win32.Worm.Sohanat.CK
   •  Grisoft: Dropper.Generic4.CAYF
   •  Eset: Win32/Autoit.EP.Gen worm
   •  GData: Win32.Worm.Sohanat.CK
   •  Norman: New unknown virus W32/Obfuscated.H!genr


Platforms / OS:
   • Windows 2000
   • Windows XP
   • Windows 2003
   • Windows Vista
   • Windows Server 2008
   • Windows 7


Side effects:
   • Registry modification

 Files It copies itself to the following locations:
   • %SYSDIR%\gphone.exe
   • %WINDIR%\gphone.exe

 Registry One of the following values is added in order to run the process after reboot:

–  HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • "Yahoo Messengger"="c:\windows\\system32\\gphone.exe"



The following registry keys are added in order to load the services after reboot:

– HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
   • "NofolderOptions"=dword:00000001

– HKLM\SYSTEM\ControlSet001\Services\Schedule
   • "AtTaskMaxHours"=dword:00000000

– HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\
   Internet Settings
   • "ProxyEnable"=dword:00000000

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
   • "Start Page"="http://rnd009.googlepages.com/google.html"



The following registry keys are changed:

– HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
   Old value:
   • "Shell"="Explorer.exe"
   New value:
   • "Shell"="Explorer.exe gphone.exe"

– HKLM\SOFTWARE\Microsoft\Internet Explorer\Main
   Old value:
   • "Default_Page_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&pver=6&ar=msnhome"
   • "Default_Search_URL"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   • "Search Page"="http://www.microsoft.com/isapi/redir.dll?prd=ie&ar=iesearch"
   New value:
   • "Default_Page_URL"="http://rnd009.googlepages.com/google.html"
   • "Default_Search_URL"="http://rnd009.googlepages.com/google.html"
   • "Search Page"="http://rnd009.googlepages.com/google.html"

Internet Explorer's start page:

– HKCU\Software\Microsoft\Internet Explorer\Main
   Old value:
   • "Start Page"="about:blank"
   New value:
   • "Start Page"="http://rnd009.googlepages.com/google.html"

 Miscellaneous Accesses internet resources:
   • **********go.**********pages.com/setting.ini
   • **********cam.**********pages.com/setting.ini


Event handler:
It creates the following Event handlers:
   • CloseServiceHandle
   • OpenSCManager
   • ReadProcessMemory
   • WriteProcessMemory
   • GetKeyState
   • GetAsyncKeyState
   • HttpOpenRequest
   • FtpOpenFile
   • InternetOpenUrl
   • InternetOpen
   • GetDriveType
   • CreateFile
   • ShellExecute

 File details Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

說明撰寫者 Wensin Lee 開啟 2012年5月30日星期三
說明更新者 Wensin Lee 開啟 2012年5月30日星期三

返回 . . . .
https:// 為了你的安全,此視窗已加密。