Home / malware Worm:Win32/Nuqel.BW
First posted on 08 September 2019.
Source: MicrosoftAliases :
Worm:Win32/Nuqel.BW is also known as W32/AutoRun-AOA, W32.Imaut, Mal_Utoti4.
Explanation :
Installation This threat can create files on your PC, including: %ALLUSERSPROFILE%start menuprogramsstartupgoogle.lnk %SystemRoot%securitysystem.exe %USERPROFILE%desktopsioril.lnk %USERPROFILE%favoritesmake friends.lnk %USERPROFILE%my documents
ew jobs info.lnkgogle.lnk securitysystem.exe
It modifies the registry so that it runs each time you start your PC. For example:
In subkey: HKCUsoftwaremicrosoftwindowscurrentversion
un
Sets value: "Yahoo Messengger"
With data: "securitysystem.exe"
In subkey: HKLMsoftwaremicrosoftwindows ntcurrentversionwinlogon
Sets value: "Shell"
With data: "explorer.exe securitysystem.exe"
It creates a schedule to automatically run files on your PC. This can include:securitysystem.exe Spreads through
Instant Messenger
The worm may spread using a number of different messaging applications, including Yahoo Messenger, AIM, Windows Messenger and Google Talk. It sends a message to all of your contacts with a link to a copy of itself.
Network shares
The worm also tries to spread through network shares by querying the registry and copying themselves to any shared folders specified by the entry HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares. In this sample it was named as New Folder.exe.
Removable drives
The worm copies itself to removable drives.
Payload Changes web browser settings
It can change your Internet Explorer start page by modifying the following registry entry:
In subkey: HKCUsoftwaremicrosoftinternet explorermain
Sets value: "Start Page"
With data: ""
We have seen it use the following URLs:
www.newjobsinfo.com www.sioril.com www.todaygoogle.com Downloads data
The worm can download configuration data from a remote server and save the data as the following file:
%SystemRoot% system32setting.ini
It can read file locations to be downloaded from the configuration file. It then downloads these files to %SystemRoot%system32 and runs them.
We have seen it connect to the following servers to download its configuration file:
h1.ripway.com/datbas0100/setting.ini h1.ripway.com/datbas051/setting.ini h1.ripway.com/datbas052/setting.ini h1.ripway.com/datbas053/setting.ini h1.ripway.com/datbas054/setting.ini h1.ripway.com/datbas055/setting.ini h1.ripway.com/datbas056/setting.ini h1.ripway.com/datbas057/setting.ini h1.ripway.com/datbas058/setting.ini h1.ripway.com/datbas059/setting.ini h1.ripway.com/datbas060/setting.ini h1.ripway.com/datbas061/setting.ini h1.ripway.com/datbas062/setting.ini h1.ripway.com/datbas063/setting.ini h1.ripway.com/datbas064/setting.ini h1.ripway.com/datbas065/setting.ini h1.ripway.com/datbas066/setting.ini h1.ripway.com/datbas067/setting.ini h1.ripway.com/datbas068/setting.ini h1.ripway.com/datbas069/setting.ini h1.ripway.com/datbas070/setting.ini h1.ripway.com/datbas071/setting.ini h1.ripway.com/datbas072/setting.ini h1.ripway.com/datbas073/setting.ini h1.ripway.com/datbas074/setting.ini h1.ripway.com/datbas075/setting.ini h1.ripway.com/datbas076/setting.ini h1.ripway.com/datbas077/setting.ini h1.ripway.com/datbas078/setting.ini h1.ripway.com/datbas079/setting.ini h1.ripway.com/datbas080/setting.ini h1.ripway.com/datbas081/setting.ini h1.ripway.com/datbas082/setting.ini h1.ripway.com/datbas083/setting.ini h1.ripway.com/datbas084/setting.ini h1.ripway.com/datbas085/setting.ini h1.ripway.com/datbas086/setting.ini h1.ripway.com/datbas087/setting.ini h1.ripway.com/datbas088/setting.ini h1.ripway.com/datbas089/setting.ini h1.ripway.com/datbas090/setting.ini h1.ripway.com/datbas091/setting.ini h1.ripway.com/datbas092/setting.ini h1.ripway.com/datbas093/setting.ini h1.ripway.com/datbas094/setting.ini h1.ripway.com/datbas095/setting.ini h1.ripway.com/datbas096/setting.ini h1.ripway.com/datbas097/setting.ini h1.ripway.com/datbas098/setting.ini h1.ripway.com/datbas099/setting.ini h1.ripway.com/sdb050/setting.ini
Stops processes and applications
The worm can stop the following processes:
Cmd.exe game_y.exe
It can close application windows that have any of the following text in the window title:
Bkav2006 FireLion Registry System Configuration Windows Task
Deletes registry data
The worm can delete the following security application registry subkeys:
HKCUSoftwareMicrosoftWindowsCurrentVersionRunIEProtection HKLMSOFTWAREMicrosoftWindowsCurrentVersionRunBkavFw
Downloads Yahoo messenger
If your PC doesn't have Yahoo messenger installed, the worm will automatically download it and install it.
It uses some hard coded instant messages that contain an executable file or link to a URL, which it sends to your contacts. If they click on the link they will install the worm on their PC.
We have seen it use the following messages:
"Hey what are you doing Please test my new webcam using private application" "Hey Please help me to test my new cam, (use deepika213 as passcode) " "The wisest mind has something yet to learn " "Hey Please help me to test my new cam application " "I was checking out yahoo members ENTER and i saw your page.. yahoo says you are my top match! :) .. view my private cam via secured connection (use password pass123 ) " "Waiting for you, view my private cam via secured connection " "Happiness is not a destination. It is a method of life " "View my private cam via secured connection " "If you want truly to understand something, try to change it " "asl please I am 21 Female, Mumbai (India) and you? Hey View my private cam via secured connection "
Add itself in YahooID
It can add a dummy YahooID to the infected user for its propagation. For this sample it used "foxjones9".
It creates some shortcut links on your PC that will go to certain websites, such as:
"hxxp://www.sioril.com" -> %USERPROFILE%desktopsioril.lnk "hxxp://www.todaygoogle.com" -> %ALLUSERSPROFILE%start menuprogramsstartupgoogle.lnk "hxxp://www.My3.in" -> %USERPROFILE%favoritesmake friends.lnk "hxxp://www.todaygoogle.com" ->gogle.lnk "hxxp://www.newjobsinfo.com" -> %USERPROFILE%my documents
ew jobs info.lnk Additional information This malware description was published using automated analysis of file SHA1 6e21d46fff879781f633eb6f2ee8c220195f9210.Last update 08 September 2019
