Home / malware Worm:Win32/Nuqel.TA
First posted on 15 February 2019.
Source: MicrosoftAliases :
Worm:Win32/Nuqel.TA is also known as Worm.Win32.AutoRun.fnc, W32.Imaut.CN, WORM_SOHAND.SM.
Explanation :
Installation This threat can create files on your PC, including:
%SystemRoot%system3_.exesystem3_.exe
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Yahoo Messengger"
With data: "system3_.exe" In subkey: HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogon
Sets value: "Shell"
With data: "explorer.exe system3_.exe"
It creates a schedule to automatically run files on your PC. This can include:
system3_.exe Payload Changes web browser settings
It can change your Internet Explorer start page by modifying the following registry entry:
In subkey: HKCUsoftwaremicrosoftinternet explorermain
Sets value: "Start Page"
With data: "http://www.mydreamworld.50webs.com"
Connects to a remote host
We have seen this threat connect to a remote host, including: h1.ripway.com using port 80 Malware can connect to a remote host to do any of the following:Check for an Internet connectionDownload and run files (including updates or other malware)Report a new infection to its authorReceive configuration or other dataReceive instructions from a malicious hackerSearch for your PC locationUpload information taken from your PCValidate a digital certificate
This malware description was published using automated analysis of file SHA1 117a7125204c3e6aac562c76fd05d6e45dcc9c49.Last update 15 February 2019
