Avira Virus Lab

‹ Back

Worm/Nuqel.655360

Summary
  • Name
    Worm/Nuqel.655360
  • Date discovered
    Jan 4, 2011
  • VDF version
    7.11.01.25 (2011-01-04 16:11)
Description

The term 'WORM' denotes a worm that is able to spread itself, for instance, over the Internet (using email, peer-to-peer networks, or IRC networks, etc.).

  • VDF
    7.11.01.25 (2011-01-04 16:11)
  • Files
    The following copies of itself are created:
    • %SYSDIR%\scvhost.exe
    • %WINDIR%\hinhem.scr
    • %WINDIR%\scvhost.exe
    • %SYSDIR%\blastclnnn.exe
    The following files are created:
    • %WINDIR%\Tasks\At1.job
    • %SYSDIR%\autorun.ini
    • %SYSDIR%\setting.ini
    The following files are changed:
    • %temporary internet files%\Content.IE5\index.dat
    • %USERPROFILE%\Cookies\index.dat
    • %USERPROFILE%\Local Settings\History\History.IE5\index.dat
    • %SYSDIR%\CatRoot2\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\catdb
  • Injections
    • %WINDIR%\System32\svchost.exe{<-\ThemeApiPort}
    • %SYSDIR%\services.exe{<-\RPC Control\ntsvcs}
    • %SYSDIR%\lsass.exe{<-\RPC Control\protected_storage}
    • %SYSDIR%\lsass.exe{<-\LsaAuthenticationPort}
    • %SYSDIR%\svchost.exe{<-\RPC Control\DNSResolver}
  • Registry
    The following registry entries are changed:
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon] "Shell" = "Explorer.exe scvhost.exe"
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule] "NextAtJobId" = dword:00000002
    • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Prefetcher] "TracesProcessed" = dword:0000000f "TracesSuccessful" = dword:0000000a "LastTraceFailure" = dword:00000004
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings] "GlobalUserOffline" = dword:00000000 "MigrateProxy" = dword:00000001 "ProxyEnable" = dword:00000000 ProxyServer = - ProxyOverride = - AutoConfigURL = -
    The following registry entries are added:
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] "Yahoo Messengger" = "%SYSDIR%\scvhost.exe"
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer] "NofolderOptions" = dword:00000001
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System] "DisableTaskMgr" = dword:00000001 "DisableRegistryTools" = dword:00000001
    • [HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Schedule] "AtTaskMaxHours" = dword:00000000
    • [HKEY_CURRENT_CONFIG\Software\Microsoft\windows\CurrentVersion\Internet Settings] "ProxyEnable" = dword:00000000
    • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares] "shared" = "\New Folder.exe"