Home / malwarePDF  

Worm:Win32/Nuqel.AC


First posted on 22 February 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Nuqel.AC is also known as Win32/Autorun.worm.287566 (AhnLab), Worm.Win32.AutoRun.amnl (Kaspersky), AutoRun.RMM (Norman), Worm.Win32.Autorun (Ikarus), W32/Autorun.worm.zf.gen (McAfee), W32/KillAV.MI (Panda), WORM_PATCH.RL (Trend Micro).

Explanation :

Worm:Win32/Nuqel.AC is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Restore, hiding files and folders, disabling Windows Security Center notifications, and other actions.
Top

Worm:Win32/Nuqel.AC is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Restore, hiding files and folders, disabling Windows Security Center notifications, and other actions. InstallationWorm:Win32/Nuqel.AC drops a copy of itself as the following files:

  • %AppData%\java\<ASCII character>shimgvw<ASCII character>.exe
  • %AppData%\java\<ASCII character>jview<ASCII character>.exe
    • where <ASCII character> refers to various ASCII characters. It modifies the system registry so that its copy automatically starts every time Windows starts or when a JPG file is opened: Adds value: "AVM17?"
    With data: "%AppData%\java\ýshimgvw.exe"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Modifies value: "(default)"
    From data: "%SystemRoot%\System32\imageres.dll,-72"
    To data: "%AppData%\java\ýshimgvw.exe,0"
    In subkey: HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon Spreads via... Removable drives Worm:Win32/Nuqel.AC drops a copy of itself in the root folder of all removable drives. Payload Modifies computer settingsWorm:Win32/Nuqel.AC changes the following settings in the computer: Hides hidden files:
    Adds value: "UncheckedValue"
    With data: "0"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
    Adds value: "ShowSuperHidden"
    With data: "0"
    To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced Hides file extensions:
    Adds value: "DefaultValue"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt Sets the computer to wait for 2 seconds for services to stop before shutting down:
    Adds value: "WaitToKillServiceTimeout"
    With data: "2000"
    To subkey: HKLM\SYSTEM\CurrentControlSet\Control Disables System Restore function:
    Adds value: "DisableSR"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore Prevents Windows from displaying EXE and JPG file extensions:
    Adds value: "NeverShowExt"
    With data: "0"
    To subkey: HKLM\SOFTWARE\Classes\exefile
    Adds value: "NeverShowExt"
    With data: "0"
    To subkey: HKLM\SOFTWARE\Classes\jpegfile Disables the "administrator in Admin Approval Mode" user type:
    Adds value: "EnableLUA"
    With data: "0"
    To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System Disables notifications from the Windows Security Center that antivirus is not installed in the computer:
    Adds value: "AntiVirusOverride"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Security Center
    Adds value: "AntiVirusOverride"
    With data: "1"
    To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc User processes end automatically when the user either logs off or shuts down Windows:
    Adds value: "AutoEndTasks"
    With data: "1"
    To subkey: HKCU\Control Panel\Desktop

    Analysis by Francis Allan Tan Seng

    Last update 22 February 2010

     

    TOP

    Malware :

    Family: