Home / malware Worm:Win32/Nuqel.AF
First posted on 08 June 2010.
Source: SecurityHomeAliases :
Worm:Win32/Nuqel.AF is also known as Win32/Autorun.worm.287566 (AhnLab), Worm.Win32.AutoRun.amnl (Kaspersky), AutoRun.RMM (Norman), Worm.Win32.Autorun (Ikarus), W32/Autorun.worm.zf.gen (McAfee), W32/KillAV.MI (Panda), WORM_PATCH.RL (Trend Micro).
Explanation :
Worm:Win32/Nuqel.AF is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Registry tools, hiding files and folders, and terminating processes.
Top
Worm:Win32/Nuqel.AF is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Registry tools, hiding files and folders, and terminating processes. Installation Worm:Win32/Nuqel.AF drops a copy of itself as one of the following files: %AppData%\lsass.exe
OR %AppData%\Thumbs.bd.exe Note 1 - %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming. Note 2 - User should also note that a legitimate file exists that is also named "lsass.exe", and is installed by default in the Windows system folder. The worm modifies the system registry so that its copy automatically starts every time Windows starts or when the dropped JPG file ("a.s.k.jpg") is opened: Adds value: "AASSKK2" With data: "%AppData%\lsass.exe" To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Spreads via... Removable drives Worm:Win32/Nuqel.AC drops a copy of itself in the root folder of all removable drives using the following file names: ask2.exe a.s.k.jpg.exe Worm:Win32/Nuqel.AC then writes an autorun configuration file named "autorun.inf" pointing to one of the files listed above. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically. It also drops a clean image file named "a.s.k.jpg": Payload Modifies computer settings Worm:Win32/Nuqel.AC makes the following registry modifications:To hide hidden files:
Adds value: "CheckedValue"
With data: "2"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHiddenTo disable System Registry Tools:
Adds value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\SystemTo hide file extensions: Terminates processes Worm:Win32/Nuqel.AC also attempts to terminate the following process: Regedit.exe MSConfig.exe Antivirus A.S.K.exe RUN.exe
Adds value: "CheckedValue"
With data: "2"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Analysis by Lena LinLast update 08 June 2010