Worm:Win32/Nuqel.A is a persistent worm that spreads via removable drives, shared drives, and Yahoo! Messenger. It can terminate certain processes, modify certain system settings and prevent the execution of the Windows utilities Registry Editor and Task Manager.
Installation
When run, this worm creates the following files that are copies of the worm:
<system folder>\RVHOST.exe
%windir%\RVHOST.exe
The registry is modified to run the worm copy at each Windows start.
Modifies value: "Shell"
From data: "explorer.exe"
To data: "explorer.exe RVHOST.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Yahoo Messengger"
With data: "<system folder>\RVHOST.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
The worm creates and schedules a job to execute the worm copy at 9:00 every day.
Spreads Via…
Removable drives and shared folders
For each share found in the following registry entry, Worm:Win32/Nuqel.A copies itself as a file named “\New folder.exe”:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
For example, if a shared folder is present as “\\TEST\Folder1', the worm will copy itself as “\\TEST\Folder1\New Folder.exe”. The worm modifies the following registry entry that pertains to the last shared folder so that the worm copy is shared:
Adds value: "shared"
With data: "<shared_path>\New folder.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
For each shared drive discovered, the worm copies itself in all folders as a file named "<Folder Name>.exe".
For each removable drives such as a USB connected drive, the worm copies itself as “New Folder.exe” to the root of the drive. For each subfolder found on the drive, the worm copies itself as a file named the same as the folder name as in the following example:
<drive:>\Sample folder\Sample folder.exe
<drive:>\Data folder\Data folder.exe
…and so on.
Yahoo! Messenger
Worm:Win32/Nuqel.A attempts to download a configuration data file that contains message text and a hyperlink that points to a copy of the worm hosted on a remote Web site. The worm then attempts to send a text message containing a URL extracted from the previously downloaded configuration file to all user contacts every 30 minutes.
If this information cannot be located in the configuration file, or the file itself cannot be located, the worm instead sends out a link to the Web site "nhattruongquang.0catch.com". The message text is randomly chosen from messages stored in the configuration file. However, if no message data stored in the configuration file, the message is randomly chosen from as one of the following:
"E may, vao day coi co con nho nay ngon lam"
"Vao day nghe bai nay di ban"
"Biet tin gi chua, vao day coi di"
"Trang Web nay coi cung hay, vao coi thu di"
"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?"
"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…"
"Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…"
"Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…"
"Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon..."
Payload
Downloads arbitrary files
The worm checks the following domains every 2 hours for configuration files "setting.nql" and “setting.xls":
Once located, it saves the content as a temporary file as "<system folder>\setting.ini". The worm then attempts to retrieve a number of binary files from a URL specified from the configuration files. Once downloaded the binary files are dropped to the Windows system directory and executed. The downloaded files have file attributes set to "hidden", "system" and "read-only".
Terminates processes
Worm:Win32/Nuqel.A looks for open windows with the following string on their titles and attempts to close them:
"Bkav2006"
"System Configuration" (msconfig.exe)
"Registry" (registry editors)
"Windows Task" (Task managers)
"[FireLion]"
The worm deletes the following autorun registry entries:
Worm:Win32/Nuqel.A also attempts to terminate the process “game_y.exe” if found running in memory. This name may be associated with other malware.
Modifies system settings
Worm:Win32/Nuqel.A modifies the system registry to change certain system settings:
Analysis by Rodel Finones
