Home / malware Worm:Win32/Nuqel.AE
First posted on 06 March 2019.
Source: MicrosoftAliases :
Worm:Win32/Nuqel.AE is also known as Win32/Autoit.worm.678913, Trojan.Win32.Autoit.eg, Sohanad.gen5, Trojan.Autoit.DX, Worm/Autoit.ELU, TR/Autorun.617473, Win32/Armax.I, Win32.HLLW.Autoruner.11962, Win32/Autoit.DB, Trojan.Win32.Autoit, W32/Autorun.worm.g, W32/Sohanat.IZ, W32/Tiotua-R, Ardamax, W32.Imaut, WORM_OTOIT.SMT more.
Explanation :
Worm:Win32/Nuqel.AE is a worm that spreads via removable drives, shared drives and via messages sent using Yahoo! Messenger. It can terminate certain processes, modify certain system settings and disable registry editing. Installation Upon execution, Worm:Win32/Nuqel.AE checks if it has full administrative access to the computer it is running in. If Worm:Win32/Nuqel.AE is running with full administrative privileges, it deletes the following files, if they exist:
setup.ini
egsvr.exewinhelp.exe %windir%
egsvr.exe %windir%winhelp.exe It then drops copies of itself in the computer as the following:
egsvr.exesvchost .exe %windir%
egsvr.exe Note thatrefers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:WinntSystem32; and for XP, Vista, and 7 is C:WindowsSystem32. Note also that a legitimate Windows file named "svchost.exe" (without the space between "svchost" and the extension ".exe") exists in the same folder. It also drops the following file: 28463svchost.exe - detected as MonitoringTool:Win32/Ardamax It modifies the system registry so that its dropped copies are run every time Windows starts: Adds value: "Msn Messsenger" With data: "
egsvr.exe" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Modifes value: "Shell" From data: "Explorer.exe" (default value) To data: "Explorer.exe regsvr.exe" In subkey: HKLMSOFTWAREMicrosoftWindows NTCurrentVersionWinlogon It also creates a job to execute one of its copies every day at 09:00. If Worm:Win32/Nuqel.AE is running without full administrative privileges, it copies itself in the computer as: %APPDATA%
egsvr.exe %APPDATA%setup.ini It also drops the following file: %APPDATA%supportsvchost.exe - detected as MonitoringTool:Win32/Ardamax It modifies the system registry so that its dropped copies are run every time Windows starts: Adds value: "Msn Messsenger" With data: "%APPDATA%
egsvr.exe" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Adds value: "Yahoo Messsenger" With data: "%APPDATA%support
egsvr.exe" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionRun Spreads Via... Removable and shared folders For each shared path found in the registry subkey "HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares", Worm:Win32/Nuqel.AE copies itself as the following files: "New folder.exe" "
egsvr.exe" It also copies itself in all folders as ".exe". For example, if a folder named "folder" exists, the worm copy has the name "folder.exe". It also copies its dropped file " setup.ini" as "autorun.inf" in the shared or removable folder to allow automatic execution of the worm copy "regsvr.exe" if Autorun is enabled. It also adds a registry entry so that a path containing a worm copy is shared in the network: Adds value: "shared" With data: " New folder.exe" To subkey: HKCUSoftwareMicrosoftWindowsCurrentVersionExplorerWorkgroupCrawlerShares Yahoo! Messenger Worm:Win32/Nuqel.AE attempts to send an instant message containing a URL to all contacts every 30 minutes. The URL is determined using a previously-downloaded configuration file (see Payload section below). If the information cannot be located in the configuration file, or if the file cannot be located, this worm sends out an instant message with the following link: ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk/selfextract.exe The message is randomly chosen from messages stored in the configuration file. However, if no message data stored in the configuration file, or if the file cannot be located, the message is randomly chosen from any of the following: "Aishwarya Rai videos " "cyber cafe scandal visit " "Free mobile games " "Latest video shot of infosys girl " "Nfs carbon download " "Nse going to crash for more " "Regular monthly income by wearing your shorts at the comfort of your home for more info " "stream Video of Nayanthara and Simbu " "World Business news broadcaster " Payloads Downloads arbitrary files Worm:Win32/Nuqel.AE checks the domain "yahoo.com" every two hours for the following configuration files: setting.doc setting.xls Once any of these files is found, it saves the file as " setting.ini". It then attempts to retrieve files from a URL specified from these configuration files. If a file is found, it is downloaded as a hidden, system, and read-only file and run in the Windows system folder. Terminates processes Worm:Win32/Nuqel.AE looks for open windows with the following string on their titles and attempts to close them: "[FireLion]" "Bkav2006" "Registry" (registry editors) "System Configuration" (msconfig.exe) "Windows mask" Modifies the system registry Worm:Win32/Nuqel.AE deletes the following autorun registry entries: Deletes autorun entry for the Bkav2006 program: Deletes values "BkavFw" In subkey: HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun Deletes autorun entry for the FireLion program: Deletes value: "IEProtection" In subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionRun It also attempts to terminate the process "game_y.exe", which may be used by other malware if it is found running in the computer. Modifies system settings Worm:Win32/Nuqel.AE makes a number of changes to system settings by changing the following registry entries: Removes the limit on how long scheduled tasks are active when set by the AT command of the Scheduler service: Adds value: "AtTaskMaxHours" With data: "0" To subkey: HKLMSYSTEMCurrentControlSetServicesSchedule Disable Windows registry tools such as Registry Editor: Adds value: "DisableRegistryTools" With data: "1" To subkey: HKCUSOFTWAREMicrosoftWindowsCurrentVersionPoliciesSystem Analysis by Rodel Finones Last update 06 March 2019
