Home / malware Worm:Win32/Nuqel.TB
First posted on 15 March 2019.
Source: MicrosoftAliases :
Worm:Win32/Nuqel.TB is also known as Worm.Win32.AutoRun.fnc, W32/Tupym.worm, W32/AutoRun-BUC, W32.Imaut!gen1, WORM_SOHAND.SM.
Explanation :
Installation This threat can create files on your PC, including:
%SystemRoot%system3_.exesystem3_.exe
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Yahoo Messengger"
With data: "system3_.exe" In subkey: HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogon
Sets value: "Shell"
With data: "explorer.exe system3_.exe"
It creates a schedule to automatically run files on your PC. This can include:
system3_.exe Payload Changes web browser settings
It can change your Internet Explorer start page by modifying the following registry entry:
In subkey: HKCUsoftwaremicrosoftinternet explorermain
Sets value: "Start Page"
With data: "http://www.mydreamworld.50webs.com"
Modifies system settings
This threat can make changes to the way your PC behaves. It can: Disable Task Manager Restrict File Explorer settings changes
Connects to a remote host
We have seen this threat connect to a remote host, including: www.balu001.0catch.com using port 80 www.balu000.0catch.com using port 80 www.balu002.0catch.com using port 80 h1.ripway.com using port 80 Malware can connect to a remote host to do any of the following:Check for an Internet connectionDownload and run files (including updates or other malware)Report a new infection to its authorReceive configuration or other dataReceive instructions from a malicious hackerSearch for your PC locationUpload information taken from your PCValidate a digital certificate
We have seen this threat access online content, including:
setting.ini
This malware description was published using automated analysis of file SHA1 2f723542685feeee14ad624140ffe4adc12bb6da.Last update 15 March 2019
