Home / malware Worm:Win32/Nuqel.ZZ
First posted on 16 September 2014.
Source: MicrosoftAliases :
There are no other names known for Worm:Win32/Nuqel.ZZ.
Explanation :
Threat behavior
Installation
Worm:Win32/Nuqel.ZZ copies itself to the following locations:
The malware changes the following registry entries so that it runs each time you start your PC:
%windir%\regsvr.exe
\regsvr.exe
\svchost .exe
Sets value: "Shell"
With data: "explorer.exe regsvr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The malware creates the following files on your PC:
The malware tries to create a scheduled Windows task that runs the worm at 09:00 am every day of the week, by running the following Windows shell command instruction:
\setup.ini - detected as Worm:Win32/Autorun!inf - c:\documents and settings\administrator\local settings\temp\aute.tmp
cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su\svchost .exe
Payload
Changes system settings
Worm:Win32/Nuqel.ZZ overrides the timeout period so that scheduled tasks aren't stopped after a timeout. It does this by making the following registry change:
Sets value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
This malware description was produced and published using automated analysis of file SHA1 2863987251b2e42a5947ee516a54e9e180debb04.Symptoms
System changes
The following could indicate that you have this threat on your PC:
- You have these files:
%windir%\regsvr.exe
\regsvr.exe
\setup.ini
\svchost .exe
c:\documents and settings\administrator\local settings\temp\aute.tmpSets value: "Shell"
- You see these entries or keys in your registry:
With data: "explorer.exe regsvr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon Sets value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\ScheduleLast update 16 September 2014
