Threat behavior
Worm:Win32/Nuqel.AC is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Restore, hiding files and folders, disabling Windows Security Center notifications, and other actions.
Installation
Worm:Win32/Nuqel.AC drops a copy of itself as the following files:
- %AppData%\java\<ASCII character>shimgvw<ASCII character>.exe
- %AppData%\java\<ASCII character>jview<ASCII character>.exe
where <ASCII character> refers to various ASCII characters.
It modifies the system registry so that its copy automatically starts every time Windows starts or when a JPG file is opened:
Adds value: "AVM17?"
With data: "%AppData%\java\ýshimgvw.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Modifies value: "(default)"
From data: "%SystemRoot%\System32\imageres.dll,-72"
To data: "%AppData%\java\ýshimgvw.exe,0"
In subkey: HKLM\SOFTWARE\Classes\jpegfile\DefaultIcon
Spreads via...
Removable drives
Worm:Win32/Nuqel.AC drops a copy of itself in the root folder of all removable drives.
Payload
Modifies computer settings
Worm:Win32/Nuqel.AC changes the following settings in the computer:
- Hides hidden files:
Adds value: "UncheckedValue"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
Adds value: "ShowSuperHidden"
With data: "0"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
- Hides file extensions:
Adds value: "DefaultValue"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
- Sets the computer to wait for 2 seconds for services to stop before shutting down:
Adds value: "WaitToKillServiceTimeout"
With data: "2000"
To subkey: HKLM\SYSTEM\CurrentControlSet\Control
- Disables System Restore function:
Adds value: "DisableSR"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore
- Prevents Windows from displaying EXE and JPG file extensions:
Adds value: "NeverShowExt"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\exefile
Adds value: "NeverShowExt"
With data: "0"
To subkey: HKLM\SOFTWARE\Classes\jpegfile
- Disables the "administrator in Admin Approval Mode" user type:
Adds value: "EnableLUA"
With data: "0"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
- Disables notifications from the Windows Security Center that antivirus is not installed in the computer:
Adds value: "AntiVirusOverride"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center
Adds value: "AntiVirusOverride"
With data: "1"
To subkey: HKLM\SOFTWARE\Microsoft\Security Center\Svc
- User processes end automatically when the user either logs off or shuts down Windows:
Adds value: "AutoEndTasks"
With data: "1"
To subkey: HKCU\Control Panel\Desktop
Analysis by Francis Allan Tan Seng
Prevention