Home / malwarePDF  

Worm:Win32/Nekav.C


First posted on 06 August 2010.
Source: SecurityHome

Aliases :

Worm:Win32/Nekav.C is also known as Packed.Win32.Krap.w (Kaspersky), Win32/Kryptik.BPF (ESET), Mal/Bredo-E (Sophos), Trojan.Win32.Bredolab.Gen.1 (Sunbelt Software).

Explanation :

Worm:Win32/Nekav.C is a worm that spreads to all writeable drives, including removable drives and network shares. It displays a fake warning message accusing the user of having an unlicensed software and prompting the user to purchase the license by sending an SMS to a specific number. However, without the unlock code provided with the purchase, the warning message remains on top of all other programs preventing the user from accessing the desktop properly.
Top

Worm:Win32/Nekav.C is a worm that spreads to all writeable drives, including removable drives and network shares. It modifies certain important system settings. It displays a fake warning message accusing the user of having an unlicensed software and prompting the user to purchase the license by sending an SMS to a specific number. However, without the unlock code provided with the purchase, the warning message remains on top of all other programs preventing the user from accessing the desktop properly. Installation Worm:Win32/Nekav.C arrives in the computer as the following .DLL file:

  • %Temp%\phivte.dll
    • It containing the following functions:
  • Install
  • Open
  • Setup
  • Start
    • It copies itself as the following file:
  • %windir%\iexplore.exe
    • Note: "iexplore.exe" is also the legitimate file name of the main executable for Internet Explorer, and is found by default in "%ProgramFiles%\Internet Explorer". When executed, Worm:Win32/Nekav.C creates a mutex to check that only one instance of itself is running in memory. It terminates itself if the following conditions are true in order to evade analysis:
  • if it is running in a virtualized environment
  • if it is running under a debugger
  • if a SoftIce kernel debugger is active in the computer
    • Spreads via... Logical drives Worm:Win32/Nekav.C attempts to write the following files to all drives from A: to Z:
  • <recycler folder>\<file name>.exe - copy of the worm
  • autorun.inf - INF file to enable the worm copy to automatically run when the drives is accessed and Autorun is enabled
    • Payload Modifies system settings Worm:Win32/Nekav.C may change the settings for certain system tools by modifying their corresponding registry entries:
  • Disables System Restore:
    • Adds value: "DisableConfig" With data: "1" In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
  • Changes the way hidden files and folders are displayed:
    • Adds value: "ShowSuperHidden" With data: "0" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
  • Disables Trend Micro HijackThis:
    • Adds value: "Ignore1" With data: "o20 - appinit_dlls: %Temp%\phivte.dll" In subkey: HHKLM\SOFTWARE\TrendMicro\HijackThis
  • Disables registry tools:
    • Adds value: "DisableRegistryTools" With data: "1" In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System Prevents access to the desktop Worm:Win32/Nekav.C displays a dialog box similar to the following: The dialog box warns the user that they have breached the license agreement for a program called "Best Netspeed Pro" and that because of this, they have to purchase a license for the product. The user is requested to send a message to a certain number, upon which they will receive a code. If no code is entered, the dialog box remains on top of all other programs, preventing the user from properly accessing the desktop.

    Analysis by Daniel Radu

    Last update 06 August 2010

     

    TOP

    Malware :

    Family: