Worm:Win32/Noxjasm.A is a worm that spreads by copying itself to all drives. It attempts to terminate certain security-related processes and prevent the use of other Windows utilities such as Task Manager.
Installation
When run, Worm:Win32/Noxjasm.A copies itself as the following files having attributes of "system" and "hidden":
<system folder>\logoneui.exe
%windir%\web\connection.dat
c:\logoneui.exe
The registry is modified to run the worm copy at each Windows start.
Modifies value: "Shell"
With data: "explorer.exe logoneui.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "firewall 2008"
With data: "<system folder>\logoneui.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
The worm also creates a scheduled job to execute the worm copy "<system folder>\logoneui.exe" every day at 10:00 pm local time.
Spreads via…
Network shares and all drives
The worm copies itself to all writeable network shares and drives including the system drive as "\logoneui.exe" and as one of the following file names:
\jojo.exe
\akon.exe
\alisa.exe
\subst.exe
\Maradona.exe
\zidan.exe
Worm:Win32/Noxjasm.A then writes an autorun configuration file as "autorun.inf" pointing to one of the files listed above. When the network share or drive is accessed from another machine supporting the Autorun feature, the worm is launched automatically.
The worm modifies the registry to share the worm copy as a resource as in the following example:
Adds value: "shared"
With data: "\zidan.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Payload
Changes Windows settings
Worm:Win32/Noxjasm.A changes the following Windows settings by modifying the registry:
- Disables Windows Task Manager
Modifies value: "DisableTaskMgr"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System - Disables Windows folder view options
Modifies value: "NofolderOptions"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer - Disallows hidden files
Modifies value: "Hidden"
With data: "0"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced - Changes Internet Explorer start page
Modifies value: "HomePage"
With data: "1"
In subkey: HKCU\Software\Policies\Microsoft\Internet Explorer\Control Panel
Modifies value: "Start Page"
With data: "http://famous2.topcities.com"
To subkey: HKCU\Software\Microsoft\Internet Explorer\Main - Allow a scheduled task to run indefinitely
Modifies value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Terminates processes
The worm closes any window that contains the following string:
Bkav2006
System Configuration
Registry
Registry Editor
Windows Task
Windows Task Manager
The worm also terminates processes matching any of the following:
avgamsvr.exe
avgupsvc.exe
avgcc.exe
nod32kui.exe
nod32krn.exe
Kav.exe
cmd.exe
MSConfig.exe
HIJACK.EXE
Worm:Win32/Noxjasm.A deletes the following registry values associated with security-related processes:
Deletes value: "IEProtection"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Deletes value: "avast!"
Deletes value: "AVG7_CC"
Deletes value: "nod32kui"
In subkey: HKCM\Software\Microsoft\Windows\CurrentVersion\Run
Drops other files
Worm:Win32/Noxjasm.A drops a batch script as "C:\info.bat" that displays the following message if run:
hi i come back
i am Jason X
<e-mail address>@hotmail.com
Good Bye
The batch script then attempts to shutdown the affected computer.
Analysis by Tim Liu