Home / malware

PDF

Worm:Win32/Nuqel.H

First posted on 28 July 2019.
Source: Microsoft

Aliases :

Worm:Win32/Nuqel.H is also known as Win32/Nuqel.M, Trojan-Downloader.Win32.AutoIt.q, W32/Hakag-A, W32/YahLover.worm.gen, W32.Blastclan, WORM_SOHANAD.CY.

Explanation :

Worm:Win32/Nuqel.H is a worm that spreads via removable and shared drives. InstallationUpon execution, Worm:Win32/Nuqel.H drops the following copies of itself with the read-only, system, and hidden file attributes: /scvhsot.exe /blastclnnn.exe %windir%/hinhem.scr %windir%/scvhsot.exe Note - refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.  It modifies the system registry so that it runs every time Windows starts: Modifies value: "Shell"
With data: "explorer.exe scvhsot.exe"
To subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon Adds value: "Yahoo Messengger"
With data: "scvhsot.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun It also drops the file "autorun.ini" in the Windows system folder, which enables this worm to run every time a folder is automatically opened (for example, when a user inserts a removable disk or a CD). Nuqel.H also schedules itself to run at 0900 every week day by creating a scheduled task using the AT command. Spreads Via... Shared Drives
Worm:Win32/Nuqel.H enumerates shared drives by checking the values within the following registry subkey:
HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares
 
It then copies itself in the root of the found shared drives as the following files: New Folder.exe scvhsot.exe
It also copies its dropped "autorun.ini" file as "auotorun.inf", setting its attributes to read-only, system, and hidden. It also copies itself as "scvhsot.exe" to all available subfolders found in a shared drive. 
Removable Drives
Worm:Win32/Nuqel.H copies itself in the root of the found shared drives as the following files: New Folder.exe scvhsot.exe
It also copies its dropped "autorun.ini" file as "auotorun.inf", setting its attributes to read-only, system, and hidden. This file ensures that when a user inserts a removable drive into another system, the worm copies are automatically run. It also copies itself as "scvhsot.exe" to all available subfolders found in the removable drive. Payload Modifies System Settings Disables folder options of file explorer (for example so a user cannot change the options to view hidden files and folders):
Adds value: "NofolderOptions"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesExplorer  Ensures that a user can't view and stop processes using a task manager:
Adds value: "DisableTaskMgr"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesSystem  Removes the limit on how long are scheduled tasks are active when set by the AT command of the Shedule service:
Adds value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLMSYSTEMCurrentControlSetServicesSchedule  Set to bypass a proxy for Internet connections:
Adds value: "ProxyBypass"
With data: "1"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsoneMap  Set the Internet Explorer to start in the offline mode:
Adds value: "GlobalUserOffline"
With data: "0"
To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionInternet Settings  Modifies the following registry so that the file "new folder.exe" appears as a shared folder:
Adds value: "shared"
With data: "
ew folder.exe"
To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares This last registry modification allows the "New Folder.exe" file to have a folder icon, which can potentially trick a user into double-clicking (and thus executing) the worm copy.  Downloads Arbitrary Files/Updates
The worm checks the following domains for file "setting.doc": setting3.yeahost.com setting3.9999mb.com freewebs.com/setting3 If found, it saves the file to the System directory as "setting.ini". The worm then attempts to retrieve a number of files from a URL specified in setting.ini. Once downloaded the files are dropped to the System directory and executed.  Sends Messages
Nuqel.H attempts to send a URL and a message sourced from the previously downloaded file, setting.ini, using Yahoo! Messenger. The message is randomly chosen as one of the following: "E may, vao day coi co con nho nay ngon lam " "Vao day nghe bai nay di ban " "Biet tin gi chua, vao day coi di " "Trang Web nay coi cung hay, vao coi thu di " "Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?  " "Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... " "Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... " "Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... " "Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... "  Terminates Processes
Worm:Win32/Nuqel.H looks for open windows with the following titles and attempts to close them: "System Configuration" "Registry" "Windows Tasks" It also attempts to terminate the following processes if found running in the system: cmd.exe game_y.exe 
Modifies Security Settings
Nuqel.H attempts to remove registry autostart entries for the following security programs: "Bkav2006" "[FireLion]"  Analysis by Francis Allan Tan Seng

Last update 28 July 2019

 

TOP