Home / malwarePDF  

Worm:Win32/Nuqel.BW


First posted on 08 September 2019.
Source: Microsoft

Aliases :

Worm:Win32/Nuqel.BW is also known as W32/AutoRun-AOA, W32.Imaut, Mal_Utoti4.

Explanation :

Installation This threat can create files on your PC, including:   %ALLUSERSPROFILE%start menuprogramsstartupgoogle.lnk %SystemRoot%securitysystem.exe %USERPROFILE%desktopsioril.lnk %USERPROFILE%favoritesmake friends.lnk %USERPROFILE%my documents
ew jobs info.lnk gogle.lnk securitysystem.exe

It modifies the registry so that it runs each time you start your PC. For example:

In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Yahoo Messengger"
With data: "securitysystem.exe"

In subkey: HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogon
Sets value: "Shell"
With data: "explorer.exe securitysystem.exe"

It creates a schedule to automatically run files on your PC. This can include:   securitysystem.exe Spreads through

Instant Messenger

The worm may spread using a number of different messaging applications, including Yahoo Messenger, AIM, Windows Messenger and Google Talk. It sends a message to all of your contacts with a link to a copy of itself.

Network shares

The worm also tries to spread through network shares by querying the registry and copying themselves to any shared folders specified by the entry HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares. In this sample it was named as New Folder.exe.

Removable drives

The worm copies itself to removable drives.

Payload Changes web browser settings

It can change your Internet Explorer start page by modifying the following registry entry:

In subkey: HKCUsoftwaremicrosoftinternet explorermain
Sets value: "Start Page"
With data: ""

We have seen it use the following URLs:

www.newjobsinfo.com www.sioril.com www.todaygoogle.com Downloads data

The worm can download configuration data from a remote server and save the data as the following file:

%SystemRoot% system32setting.ini

It can read file locations to be downloaded from the configuration file. It then downloads these files to %SystemRoot%system32 and runs them.

We have seen it connect to the following servers to download its configuration file:

h1.ripway.com/datbas0100/setting.ini h1.ripway.com/datbas051/setting.ini h1.ripway.com/datbas052/setting.ini h1.ripway.com/datbas053/setting.ini h1.ripway.com/datbas054/setting.ini h1.ripway.com/datbas055/setting.ini h1.ripway.com/datbas056/setting.ini h1.ripway.com/datbas057/setting.ini h1.ripway.com/datbas058/setting.ini h1.ripway.com/datbas059/setting.ini h1.ripway.com/datbas060/setting.ini h1.ripway.com/datbas061/setting.ini h1.ripway.com/datbas062/setting.ini h1.ripway.com/datbas063/setting.ini h1.ripway.com/datbas064/setting.ini h1.ripway.com/datbas065/setting.ini h1.ripway.com/datbas066/setting.ini h1.ripway.com/datbas067/setting.ini h1.ripway.com/datbas068/setting.ini h1.ripway.com/datbas069/setting.ini h1.ripway.com/datbas070/setting.ini h1.ripway.com/datbas071/setting.ini h1.ripway.com/datbas072/setting.ini h1.ripway.com/datbas073/setting.ini h1.ripway.com/datbas074/setting.ini h1.ripway.com/datbas075/setting.ini h1.ripway.com/datbas076/setting.ini h1.ripway.com/datbas077/setting.ini h1.ripway.com/datbas078/setting.ini h1.ripway.com/datbas079/setting.ini h1.ripway.com/datbas080/setting.ini h1.ripway.com/datbas081/setting.ini h1.ripway.com/datbas082/setting.ini h1.ripway.com/datbas083/setting.ini h1.ripway.com/datbas084/setting.ini h1.ripway.com/datbas085/setting.ini h1.ripway.com/datbas086/setting.ini h1.ripway.com/datbas087/setting.ini h1.ripway.com/datbas088/setting.ini h1.ripway.com/datbas089/setting.ini h1.ripway.com/datbas090/setting.ini h1.ripway.com/datbas091/setting.ini h1.ripway.com/datbas092/setting.ini h1.ripway.com/datbas093/setting.ini h1.ripway.com/datbas094/setting.ini h1.ripway.com/datbas095/setting.ini h1.ripway.com/datbas096/setting.ini h1.ripway.com/datbas097/setting.ini h1.ripway.com/datbas098/setting.ini h1.ripway.com/datbas099/setting.ini h1.ripway.com/sdb050/setting.ini

Stops processes and applications

The worm can stop the following processes:

Cmd.exe game_y.exe

It can close application windows that have any of the following text in the window title:

Bkav2006 FireLion Registry System Configuration Windows Task

Deletes registry data

The worm can delete the following security application registry subkeys:

HKCUSoftwareMicrosoftWindowsCurrentVersionRunIEProtection HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunBkavFw

Downloads Yahoo messenger

If your PC doesn't have Yahoo messenger installed, the worm will automatically download it and install it.

It uses some hard coded instant messages that contain an executable file or link to a URL, which it sends to your contacts. If they click on the link they will install the worm on their PC.

We have seen it use the following messages:

"Hey what are you doing Please test my new webcam using private application " "Hey Please help me to test my new cam, (use deepika213 as passcode) " "The wisest mind has something yet to learn " "Hey Please help me to test my new cam application " "I was checking out yahoo members ENTER and i saw your page.. yahoo says you are my top match! :) .. view my private cam via secured connection (use password pass123 ) " "Waiting for you, view my private cam via secured connection " "Happiness is not a destination. It is a method of life " "View my private cam via secured connection " "If you want truly to understand something, try to change it " "asl please I am 21 Female, Mumbai (India) and you? Hey View my private cam via secured connection "

Add itself in YahooID

It can add a dummy YahooID to the infected user for its propagation. For this sample it used "foxjones9". 

It creates some shortcut links on your PC that will go to certain websites, such as:

"hxxp://www.sioril.com" -> %USERPROFILE%desktopsioril.lnk "hxxp://www.todaygoogle.com" -> %ALLUSERSPROFILE%start menuprogramsstartupgoogle.lnk "hxxp://www.My3.in" -> %USERPROFILE%favoritesmake friends.lnk "hxxp://www.todaygoogle.com" -> gogle.lnk "hxxp://www.newjobsinfo.com" -> %USERPROFILE%my documents
ew jobs info.lnk Additional information This malware description was published using automated analysis of file SHA1 6e21d46fff879781f633eb6f2ee8c220195f9210.

Last update 08 September 2019

 

TOP