Worm:Win32/Nekav.A is a worm that can spread via removable drives. It may pose as an annoyance and interfere with normal operations by displaying a splash image that waits for the user to send a code to supposedly resume back with normal work.
It terminates and deletes certain files, most of which are related to security and antivirus programs. It also modifies certain system settings.
Installation
Worm:Win32/Nekav.A can check if it is being run under a user-level debugger, Softice, or virtual machine, among other anti-debugging techniques. If any of these conditions apply, it terminates without finishing its routines. Otherwise, if run without the above conditions, it can choose to install itself in several methods:
It may look for a specific file candidate under %windir%\Help and %windir%\Inf and copies itself using a random name onto the ADS (alternate data stream) of that file:
%windir%\Help\<host file>:<random malware name>
%windir%\Inf\<host file>:<random malware name>
for example:
C:\WINDOWS\Help\taskmgr.chm:HFheII/SmAi8EXC8BD
It can also drop a randomly named copy of itself in the Windows system folder and the Temporary Files folder.
Worm:Win32/Nekav.A creates the following registry entry so that it executes every time Windows starts:
Adds value: "AppInit_Dlls"
With data: "<malicious file name>"
In subkey: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Windows
Spreads via...
Logical drives
Worm:Win32/Nekav.A enumerates drives from A: to Z: in search of removable drives. It copies itself as the following, along with an "autorun.inf" file that allows it to automatically run whenever the drive is accessed and Autorun is enabled:
<Drive>\recycler\<random malware name> - copy of itself
Both the dropped malware file and the "autorun.inf" file are hidden from view.
Payload
Displays splash screen
Once Worm:Win32/Nekav.A has infected the computer, it displays a splash screen that waits for the user to enter a code to be able to access the computer again. It is currently linked to a pornographic site and is in Russian:
Modifies system settings
Worm:Win32/Nekav.A disables numerous system policies via registry modification:
Adds value: "DisableConfig"
With data: "0x01"
Adds value: "DisableSR"
With data: "0x01"
In subkey: HKLM\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore
- Disables registry editor:
Adds value: "DisableRegistryTools"
With data: "0x01"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "DisableTaskMgr"
With data: "0x01"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Adds value: "ShowHidden"
With data: "0x02"
Adds value: "ShowSuperHidden"
With data: "0x00"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Terminates processes and deletes files
Worm:Win32/Nekav.A is capable of terminating several files, such as the following:
alg.exe
anvir.exe
cmd.exe
ctfmon.exe
drwatson.exe
equi.exe
far.exe
isuspm.exe
lsass.exe
msacui.exe
punto.exe
regedit.exe
rthdcpl.exe
services.exe
svchost.exe
taskmgr.exe
userinit.exe
wmiprvse.exe
wsntfy.exe
It also closes windows with titles containing any of the following strings; most of these are related to anti-malware programs and other legitimate applications:
A-Squared
Ad-Aware
Ahnlab
Anti-Malware
Antimalvare
Antispyware
Antivirus
Anvir
Auto Update
Autoruns
Autostart
Avast
Avg
Avira
Avz
Bitdefender
Cmd.Exe
Defensewall
Download Master
Dr.Web
Eset
F-Prot
F-Secure
Far
G Data
Gmer
Hijack
Hijackthis
Internet Security
K7Totalsecurity
Kaspersky
Liveinstall
Liveupdate
Log
Malware
Malwarebytes
Manipulation
Mcafee
Nod32
Osam
Outpost
Pc Tools
Process Explorer
Process Monitor
Process Viewer
Ptstartmon
Quick Heal
Regedit
Removal
Rootkit
Security
Sms
Spyware
Startup
Sysinternals
Termination
Total Commander
Trend
Trendmicro
Trojan
Vba32
Vipre
Virus
Virustotal
Winlock
X-Core
Zillya
Worm:Win32/Nekav.A deletes the following files, which may also be related to anti-malware applications:
a2exec64.sys
a2guard.exe
a2hijackfree.exe
a2scan.exe
a2service.exe
a2upd.exe
a2update.dll
aavm4h.dll
aavmguih.dll
aavmker4.sys
aavmrpch.dll
acaif.exe
acappaa.exe
acnlibdy.dll
actskin4.ocx
actxmod.dll
ad-aware.exe
adkrnl.dll
aecore.dll
aeoffice.dll
aepack.dll
aescript.dll
afm.dll
afmain.exe
afnotint.dll
afnotsys.dll
afolui.dll
afquavw.exe
afw.sys
afwcon.exe
afwcore.sys
afwmod.exe
ahascr.dll
ahjsctns.dll
ahni18n.dll
ahnsd.exe
ahnsdsv.exe
ahresjs.dll
ahresmai.dll
ahresout.dll
ahresp2p.dll
ahresws.dll
ahruijs.dll
alfaff.sys
amehevn.dll
amonlwlh.sys
anftdird.sys
antispam.dll
antispamgui.isplugin.dll
antispy.dll
antivirus.dll
anvir.exe
anvirhook53.dll
anvirrunserv.exe
aplhandler.dll
apm.dll
apm.exe
appflt.sys
arfmon.dll
arfmonnt.sys
arrakis3.exe
asapsdk.dll
asclsrvc.exe
ascontrol.exe
ashavast.exe
ashbase.dll
ashbug.exe
ashchest.dll
ashchest.exe
ashcnsnt.exe
ashmaisv.exe
ashoutxt.dll
ashserv.exe
ashsha64.dll
ashsimp2.exe
ashsodbc.dll
ashtask.dll
ashuint.dll
ashupd.exe
ashwebsv.exe
ask.exe
askout.dll
asmain.exe
asndmail.dll
asp_ipc.dll
asp_srv.exe
asplyscn.dll
asppp.dll
asscan.dll
assoc.cmd
aswboot.exe
aswclnr.exe
aswcmnb.dll
aswcmnos.dll
aswengin.dll
aswfilt.dll
aswfsblk.sys
aswmon.sys
aswmon2.sys
aswmonds.sys
aswrdr.sys
aswregsvr.exe
aswrundll.exe
aswscan.dll
aswsp.sys
aswtdi.sys
aswupdsv.exe
aszclean.dll
aszfltnt.sys
aszmedic.dll
athpexnt.sys
auto-rc.cmd
autoruns.exe
autorunsc.exe
av.vbs
avadmin.exe
avarkt.dll
avastss.scr
avcailib.dll
avcenter.exe
avesvc.dll
avesvcr.dll
avevtrc.dll
avfwim.sys
avfwot.sys
avfwres.dll
avfwsvc.exe
avgam.exe
avgameh.dll
avgamnot.dll
avgcclix.dll
avgcsrvx.exe
avgdumpx.exe
avgfwda.sys
avgfwdx.sys
avgfws8.exe
avgidsdriver.sys
avgidserhr.sys
avgidsfilter.sys
avgidsshim.sys
avgio.sys
avgio64.sys
avgiproxy.exe
avgmail.dll
avgmvflx.dll
avgnt.exe
avgntdd.sys
avgntflt.sys
avgntmgr.sys
avgrsx.exe
avgscanx.dll
avgscanx.exe
avgsched.dll
avgse.dll
avgspmui.dll
avgsrmax.exe
avgstrmx.exe
avgsystx.exe
avguard.exe
avinet.dll
avipbb.sys
avipc.dll
avirarkd.exe
avk.exe
avkbackupgui.exe
avkbackupservice.exe
avkexchd.dll
avkhttp.dll
avkim.dll
avkimap.dll
avkims.exe
avkmail.dll
avkpop3.dll
avkproxy.exe
avkscanjobc.dll
avkservice.exe
avksmtp.dll
avktray.exe
avktunerservice.exe
avkwctl.exe
avkwscpe.exe
avlureg.dll
avmailc.exe
avmailcr.dll
avmcdlg.exe
avnotify.dll
avnotify.exe
avp_io32.dll
avp_iont.dll
avperf.dll
avpfpi0.dll
avscan.dll
avscan.exe
avsda.dll
avservice.exe
avsshook.dll
avupgsvc.exe
avwebgrd.exe
avwinll.dll
avwsc.exe
avz.exe
avzkrnl.dll
azmain.dll
bdch.dll
bdfltlib.dll
bdfm.sys
bdfsfltr.sys
bdguictl.dll
bdmcon.dll
bdpop3p.dll
bdreinit.exe
bdselfpr.sys
bdsurvey.exe
blkpst32.exe
boot.drv
boot.udb
bpsrvc.dll
bpsvc.exe
cabsdk.dll
catflt.sys
ccbackup.dll
ccfwgnt.dll
ccguard.dll
ccmguard.dll
ccquarc.dll
ccrtklum.dll
ccupdate.dll
cfdata3.dll
cfilter3.dll
chmscan.dll
ckahcomm.dll
ckahrule.dll
ckahstat.dll
ckahum.dll
cleanielow.exe
cltuac.exe
coh32.exe
coh64.exe
coh_mon.sys
combo-fix.exe
combo-fix.sys
combobatch.bat
combofix.exe
conio.sys
cryptocme2.dll
csscan.exe
cssexc.exe
dbokfui.dll
defensewall.exe
defensewall_serv.exe
delaydel.exe
delclsid.bat
diffs.dll
dllctrl.exe
dllhook.dll
dmon.dll
drmlureg.dll
drv.sys
drvcrypt.sys
drvctl.exe
drvins32.exe
drwadins.exe
drwdemo.key
drweb32.dll
drweb32w.exe
drwebsp.dll
drwebupw.exe
drwebwcl.exe
dsaflt.sys
dumphive.cfxxe
dwall.dll
dwall.sys
dwall_ext.dll
dwall_service.dll
dwebio16.dll
dwebio32.dll
dwengine.exe
dwinctl.dll
dwprot.dll
dwprot.sys
eamon.sys
ecls.exe
ecmd.exe
eeclnt.exe
eectrl.sys
eectrl64.sys
eguiamon.dll
eguidmon.dll
eguiemon.dll
eguiepfw.dll
eguimailplugins.dll
eguiproduct.dll
eguiscan.dll
eguiupdate.dll
ehdrv.sys
ehttpsrv.exe
ekrn.exe
ekrnamon.dll
ekrndmon.dll
ekrnemon.dll
ekrnepfw.dll
ekrnmailplugins.dll
ekrnscan.dll
ekrnupdate.dll
emgscan.exe
emltdi.sys
eng64.sys
epfwtdir.sys
eplghooks.dll
eplgoe.dll
eplgoeemon.dll
eplgoutlook.dll
eplgoutlookemon.dll
eplgtbemon.dll
eraser.sys
eraser64.sys
erunt.exe
ex64.sys
extract.cfxxe
far.exe
feedback.exe
filehlpr.dll
fileobjinfo.sys
filesdk.dll
filewrap.dll
firewallgui.isplugin.dll
firewallplugin.dll
firewallwrapper.dll
fixlsp.bat
fldrvw2008.ocx
fnetmon.sys
fpavofficeie.dll
fpavserver.exe
fpoutavext.dll
fpscan.exe
fpshx64.dll
fptrayproc.exe
fpwin.exe
fsample.exe
fsavstrt.exe
fsavunin.dll
fsavwsch.exe
fsavwscr.exe
fsecr32.dll
fsepx32.dll
fsfilter.sys
fsgk.sys
fsgk32.exe
fsgk32st.exe
fsgk_x64.sys
fsgk_x64_sig.sys
fspsmon.dll
fsqh.exe
fsrec.sys
fssubmit.dll
fssync.dll
fstopw.cat
fstopw.sys
fsupcx32.dll
fsupmw32.dll
fsupwu32.dll
fsvista.sys
fsvista_x64.sys
fsvista_x64_sig.sys
fwinst.exe
gdaspam.dll
gddeepanalyse.dll
gdfirewalltray.exe
gdndisic.sys
gdscan.exe
gdtdiicpt.sys
gearaspiwdm.sys
get.exe
get5.exe
get6.exe
get7.exe
get8.exe
get9.exe
getsi.dll
gmer.exe
grep.cfxxe
guardgui.exe
guardmsg.dll
hidec.exe
hijackthis.exe
hijackthis.log
hookcentre.sys
hookinst.exe
htmlayout.dll
iadkrnl.dll
idsflt.sys
idsvia64.sys
idsvix86.sys
ie_bar.dll
ievkbd.dll
inethlpr.dll
instcat.exe
is-bmk19.com
is-bmk19.exe
isfwent.sys
isipsent.sys
isncpxct.dll
ispibent.sys
isprxent.sys
istrkent.sys
isutevva.dll
iwplureg.dll
k7apcext.dll
k7avcext.dll
k7avevnt.dll
k7avlext.dll
k7avmscn.dll
k7avoapi.dll
k7avoptn.dll
k7avscan.exe
k7avwscn.dll
k7cmnres.dll
k7fwcext.dll
k7fwfilt.sys
k7fwhlpr.sys
k7fwsrvc.exe
k7gensys.dll
k7o2plgn.dll
k7pssext.dll
k7pssrvc.exe
k7pswsen.dll
k7sentry.sys
k7spmsrc.exe
k7sysmn1.dll
k7sysmon.exe
k7tdihlp.sys
k7tsalrt.exe
k7tsecurity.exe
k7tshelp.dll
k7tsmain.exe
k7tsmngr.exe
k7tssext.dll
k7tssplh.exe
k7tsupdt.dll
k7tsupdt.exe
k7ui.dll
k7wincmp.dll
k7wslsp.dll
kdsappevent.dll
kdsinterface.dll
kill-all.cmd
kl1.sys
klbg.sys
kldirobj.dll
klfltdev.sys
klif.sys
klim5.sys
klipc.dll
kloehk.dll
klogon.dll
klscav.dll
klthbplg.dll
knlps.exe
knlps.sys
localservicenetworkrestricted.dat
localsystemnetworkrestricted.dat
log_converter.dll
mailclientlib.dll
mapiaddr.exe
mapiedk.dll
mbam.dll
mbam.exe
mbam.sys
mbamservice.exe
mbamswissarmy.sys
mcadmin.exe
mcavdetect.dll
mcavscv.dll
mcouas.dll
mcscan32.dll
mcscancheck.exe
mctray.exe
memory.udb
mfeann.exe
mfeapfk.sys
mfeavfk.sys
mfebopk.sys
mfecmnlib71.dll
mfecurl.dll
mfehidin.exe
mfehidk.sys
mferkda.dll
mferkdet.sys
mfetdik.sys
mimesniffer.dll
miniicpt.sys
minst.exe
mkisofs.exe
mpasdesc.dll
mpclient.dll
mpfilter.sys
mpnwmon.sys
mpsvc.dll
msfilter.dll
msmpcom.dll
msolkscn.dll
msregexp.dll
mytilus3_server_process.exe
naveng.sys
naveng.vxd
navex15.sys
navex15.vxd
navshcom.exe
navw32.exe
navwnt.exe
ncdaemon.exe
ncscan.dll
netfltdi.sys
neti1634.sys
netsvc.vista.dat
netsvc.xp.dat
nircmdb.exe
nisoptui.exe
nmapapp.exe
ntregopt.exe
nvscnsdk.dll
oe_mail.dll
oe_mydb.dll
oehook.dll
onaccess_client_mod.dll
onaccess_disp_mod.dll
op_cmn.dll
op_gui.dll
op_import.dll
op_install.dll
op_mail.dll
op_mon.exe
op_shell.dll
osid.vbs
osvil.dll
otlkscan.dll
pavboot.sys
pavboot64.sys
pavdrv51.sys
pctappevent.sys
pctaveng.dll
pctcffix.exe
pctcfhook.dll
pctcore.sys
pctfw.exe
pctfw.sys
pctgntdi.sys
pctlsp.dll
pctplfw.sys
pctplsg.sys
pctsauxs.exe
pctsdinj32.sys
pctsecutility.dll
pctsgui.exe
pctssvc.exe
pctstray.exe
pec32.exe
pifcrawl.exe
pifsvc.exe
plugindllfw.dll
prevxcsifree.exe
prloader.dll
procexp.exe
procmon.exe
procviewer.exe
prremote.dll
psscan.dll
ptstartmon.exe
qtnmaint.dll
qtnmaint.exe
rcscan.dll
reg lwt scan.exe
reglwtscan.zip
regscan.cmd
regscan64.cmd
rkpavproc.sys
rkpavproc64.sys
rootkitrevealer.exe
rscdwld.exe
runthis.bat
safeboot.dat
safeboot.def.dat
safeboot.def.vista.dat
safeboot.def.w7.dat
sandbox.sys
sandboxiebits.exe
sandboxiecrypto.exe
sbamcommandlinescanner.exe
sbamcreaterestore.exe
sbamoutlook.dll
sbamsafemodeui.exe
sbamsvc.exe
sbamsvcps.dll
sbamwsc.exe
sbaphd.sys
sbapifs.sys
sbapifsl.sys
sbarva.dll
sbbd.exe
sbiedrv.sys
sbiemsg.dll
sbiesvc.exe
sbtis.sys
sc_disp_mod.dll
scan32.exe
scanabt.dll
scanapi.dll
scannercom_client_mod.dll
scannercom_disp_mod.dll
scanopt.dll
scanres.dll
scanscr.dll
scansdk.dll
scanset.dll
scansts.dll
scantls.dll
scanwscs.exe
scmhlpr.dll
sdavgate.dll
sdcore.dll
sdfix.exe
sdinvoker.exe
sdloader.exe
sdra64.exe
secureframeworkfactory3.dll
security_client_mod.dll
security_disp_mod.dll
setenvmt.bat
setintegrity.exe
sfctlcom.exe
sffnwsc.exe
smengine.dll
smitfraudfix.exe
smplugin.dll
sp_rsdel.exe
sp_rsdrv2.sys
sp_rsser.exe
spider.sys
spideragent.exe
spideragent_set.exe
spidergate.exe
spidergate_set.exe
spiderml.exe
spidernt.exe
spiderui.exe
sporder.dll
spursdownload.dll
spyprodll.dll
spyprotector.exe
spywareterminator.exe
spywareterminatorshield.exe
ssautorn.exe
ssmdrv.sys
startup.exe
supdate.exe
svc_wht.dat
swreg.exe
symcuw.exe
symidsco.sys
sysinspector.exe
sysrescue.exe
tcpvcon.exe
tcpview.exe
tdiins.exe
tisscan.exe
tm_cfw.sys
tmactmon.sys
tmbmsrv.exe
tmcomm.sys
tmevtmgr.sys
tmlwf.sys
tmlwfins.exe
tmpfw.exe
tmpreflt.sys
tmtdi.sys
tmwfp.sys
tmwfpins.exe
tmxpflt.sys
tsc.exe
tsremove.exe
tsupgagt.exe
udaterui.exe
ufnavi.exe
ufupdui.exe
ujixndew.sys
uminject32.exe
unamnt.sys
unamnt4.sys
universaldd.sys
updater_client_mod.dll
updater_disp_mod.dll
updatesubsys.dll
v3hunt.dll
v3inet.dll
v3inet2.dll
vba32act.exe
vba32ads.exe
vba32ar.dll
vba32dnt.sys
vba32ecm.dll
vba32prot.sys
vba32sck.dll
vba32shl.dll
vba32stg.dll
vba32w.dll
vbaifps.dll
vbengnt.dll
vbengnt.sys
vbfilt.dll
vbsscan.dll
vdbupdate.dll
virinfo.dll
virstat.dll
virusinfo_syscheck.htm
virusinfo_syscheck.xml
virusinfo_syscheck.zip
virustotalupload.exe
vsapint.sys
vxdscan.dll
wl_hook.dll
wnmflt.sys
wormscan.dll
wslib.dll
xceedzip.dll
xcorepc.dll
xcorescan.exe
xcorescan32.exe
xinitcorepc.exe
xpbar.dll
xupdate.exe
ycryptp.dll
zcontextmenu.dll
zfmsys.sys
zillya.exe
zofficescn.dll
zooscan.dll
It also monitors the following paths and deletes found files:
%Appdata%\Agnitum
%Appdata%\Avg8
%Appdata%\Avira
%Appdata%\Defensewall Hips
%Appdata%\Doctor Web
%Appdata%\Eset
%Appdata%\F-Secure
%Appdata%\Frisk Software
%Appdata%\G Data
%Appdata%\K7 Computing
%Appdata%\Kaspersky Lab
%Appdata%\Kaspersky Lab Setup Files
%Appdata%\Malwarebytes
%Appdata%\Mcafee
%Appdata%\Microsoft\Microsoft Antimalware
%Appdata%\Panda Security
%Appdata%\Pc Tools
%Appdata%\Spyware Terminator
%Appdata%\Symantec
%Appdata%\Trend Micro
%Appdata%\Zillya Antivirus
%Programfiles%\A-Squared Anti-Malware
%Programfiles%\A-Squared Hijackfree
%Programfiles%\Agnitum
%Programfiles%\Ahnlab
%Programfiles%\Alwil Software
%Programfiles%\Anvir Task Manager
%Programfiles%\Avg\
%Programfiles%\Avira
%Programfiles%\Avira Gmbh
%Programfiles%\Bitdefender\Bitdefender 2009
%Programfiles%\Blockpost
%Programfiles%\Common Files\Doctor Web
%Programfiles%\Common Files\G Data
%Programfiles%\Common Files\Pc Tools
%Programfiles%\Common Files\Symantec Shared
%Programfiles%\Defensewall
%Programfiles%\Drweb
%Programfiles%\Eset
%Programfiles%\F-Secure Internet Security
%Programfiles%\Frisk Software
%Programfiles%\K7 Computing
%Programfiles%\Kaspersky Lab
%Programfiles%\Lavasoft
%Programfiles%\Malwarebytes' Anti-Malware
%Programfiles%\Mcafee
%Programfiles%\Microsoft Security Essentials
%Programfiles%\Norton Antivirus
%Programfiles%\Online Solutions
%Programfiles%\Panda Security
%Programfiles%\Panda Security\Panda Antivirus Pro 2009
%Programfiles%\Pc Tools Internet Security
%Programfiles%\Positive Technologies
%Programfiles%\Quick Heal
%Programfiles%\Sandboxie
%Programfiles%\Security Task Manager
%Programfiles%\Spyware Terminator
%Programfiles%\Sunbelt Software
%Programfiles%\Symantec
%Programfiles%\Trend Micro
%Programfiles%\Uacenter
%Programfiles%\Vba32
%Programfiles%\Vmware
%Programfiles%\Xcore
%Programfiles%\Zillya Antivirus
Prevents files from running
Worm:Win32/Nekav.A prevents files with the following extensions from running:
avc
avg
avp
avz
blockpost
cnt
cvd
Dsm
dta
dwl
dws
kdc
lrm
nup
ppl
scd
sig
vdb
Connects to remote server
Worm:Win32/Nekav.A may gather information about the infected computer and send it to a remote server via HTTP. In the wild, one such server it has been observed to contact is 193.105.174.114 via port 8081.
Analysis by Marianne Mallen
