Home / malwarePDF  

Worm:Win32/Nuqel.BU


First posted on 29 October 2014.
Source: Microsoft

Aliases :

There are no other names known for Worm:Win32/Nuqel.BU.

Explanation :

Threat behavior

Installation

Worm:Win32/Nuqel.BU copies itself to the following locations:



  • %windir%\gphone.exe



  • \gphone.exe

The malware changes the following registry entries so that it runs each time you start your PC:

Sets value: "Shell"
With data: "explorer.exe gphone.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon The malware creates the following files on your PC:
  • \autorun.ini - detected as Worm:Win32/Sohanad.AW!inf
  • \setting.ini
The malware tries to create a scheduled Windows task that runs the worm at 09:00 am every day of the week, by running the following Windows shell command instruction:

cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su \gphone.exe

Payload

Changes system settings

Worm:Win32/Nuqel.BU overrides the timeout period so that scheduled tasks aren't stopped after a timeout. It does this by making the following registry change:

Sets value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule Contacts remote hosts

The malware may contact the following remote hosts using port 80:

  • gototalgo.googlepages.com
  • rnd009.googlepages.com
  • seeprivatecam.googlepages.com

Commonly, malware does this to:
  • Confirm Internet connectivity
  • Report a new infection to its author
  • Receive configuration or other data
  • Download and run files, including updates or other malware
  • Receive instructions from a remote hacker
  • Upload data taken from your PC
This malware description was produced and published using automated analysis of file SHA1 bc4598426b0048710125371b698ede5f7b3ad06c.Symptoms

System changes

The following could indicate that you have this threat on your PC:

  • You have these files:

    %windir%\gphone.exe
    \autorun.ini
    \gphone.exe
    \setting.ini
  • You see these entries or keys in your registry:

    Sets value: "Shell"
    With data: "explorer.exe gphone.exe"
    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Sets value: "AtTaskMaxHours"
    With data: "0"
    In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule

Last update 29 October 2014

 

TOP

Malware :

Family: