Home / malwarePDF  

Win32/Nabucur


First posted on 30 January 2015.
Source: Microsoft

Aliases :

There are no other names known for Win32/Nabucur.

Explanation :

Threat behavior

Installation

The virus drops a component into the following locations:

  • %USERPROFILE% \\.exe
  • %ALLUSERSPROFILE% \\.exe


For example:

  • %USERPROFILE% \GawgYAUQ\dMYQMAkw.exe
  • %ALLUSERSPROFILE% \RUgkoYwI\waIwwAog.exe


It changes the following registry entry so that it runs each time you start your PC:

In subkey: HKCU\software\microsoft\windows\currentversion\run
Sets value: "", for example "dMYQMAkw.exe"
With data: "", for example "%USERPROFILE%\GawgYAUQ\dMYQMAkw.exe"

In subkey: HKLM\software\microsoft\windows\currentversion\run
Sets value: "", for example "waIwwAog.exe"
With data: "", for example "%ALLUSERSPROFILE%\RUgkoYwI\waIwwAog.exe"

Spreads via...

File infection

The virus searches for files in the following locations:

  • desktop
  • removable drives
  • mapped drives
  • enumerated network resources


It looks for files with the following extensions:

  • .bmp
  • .cer
  • .crt
  • .doc
  • .exe
  • .gif
  • .jpeg
  • .jpg
  • .mdb
  • .mp3
  • .mpg
  • .p12
  • .p12
  • .p7b
  • .pdf
  • .pem
  • .pfx
  • .png
  • .ppt
  • .psd
  • .rar
  • .wma
  • .xls
  • .zip


If a suitable host file is found, the virus infects it. The host file is replaced with a file containing the virus and the host stored entirely within the virus body. For non-executiable host files, the file is then renamed to include a .exe file extension, for example song.mp3 becomes song.mp3.exe.

If you try to run the file, you will run the virus code which in turn tries to drop and run the host file.

For example, the virus infects the file song.mp3 located in a network folder. Someone else on the network tries to run song.mp3, and then infects their computer with the virus.

The virus also uses the icon used by the original file to make it look like the original file.

Payload

Locks your screen and demands ransom

The virus locks the screen by displaying a full screen message that demands a ransom payment in bitcoin. The message is fake.

See the What to do now
section on the Summary
tab for more information.

The following is an example of the screen claiming to be from the National Security Bureau:



The following is an example of the screen claiming to be from the United States Government "Operation Global III":





Analysis by Ray Roberts

Symptoms

The following can indicate that you have this threat on your PC:

  • Files on your desktop, removable drives, or shared and network drives have .exe added to them
  • You see a full-screen message like the following:



Last update 30 January 2015

 

TOP