Home / malware Worm:Win32/Nohad.A
First posted on 30 April 2015.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Nohad.A.
Explanation :
Threat behavior
Installation
This threat can copy itself to the following locations:
\nottepad.exe - %TEMP%\system.exe
- %USERPROFILE%\administrator\documen\nod42.exe
The malware installs itself as a service so that it runs every time your PC starts.
Spreads through...
It can create the following hidden copy of itself on removable drives, such as USB flash drives:
- %SystemRoot%\system.exe
It also creates an autorun.inf file in the root folder of the removable drive. The file has instructions to launch the malware automatically when the removable drive is connected to a PC with the Autorun feature turned on.
This is a common way for malware to spread. However, autorun.inf files on their own are not necessarily a sign of infection; they are also used by legitimate programs.
Payload
Promotes Facebook pages
This worm contains an image that promotes a Facebook page.
Analysis by Mihai Calota
Symptoms
The following can indicate that you have this threat on your PC:
- You have these files:
\nottepad.exe - %TEMP%\system.exe
- %USERPROFILE%\administrator\documen\nod42.exe
Last update 30 April 2015
