Worm:Win32/Nuqel.AE is a worm that spreads via removable drives, shared drives and via messages sent using Yahoo! Messenger. It can terminate certain processes, modify certain system settings and disable registry editing.
Installation
Upon execution, Worm:Win32/Nuqel.AE checks if it has full administrative access to the computer it is running in.
If Worm:Win32/Nuqel.AE is running with full administrative privileges, it deletes the following files, if they exist:
- <system folder>\setup.ini
- <system folder>\regsvr.exe
- <system folder>\winhelp.exe
- %windir%\regsvr.exe
- %windir%\winhelp.exe
It then drops copies of itself in the computer as the following:
- <system folder>\regsvr.exe
- <system folder>\svchost .exe
- %windir%\regsvr.exe
Note that <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP, Vista, and 7 is C:\Windows\System32.
Note also that a legitimate Windows file named "svchost.exe" (without the space between "svchost" and the extension ".exe") exists in the same folder.
It also drops the following file:
It modifies the system registry so that its dropped copies are run every time Windows starts:
Adds value: "Msn Messsenger"
With data: "<system folder>\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Modifes value: "Shell"
From data: "Explorer.exe" (default value)
To data: "Explorer.exe regsvr.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
It also creates a job to execute one of its copies every day at 09:00.
If Worm:Win32/Nuqel.AE is running without full administrative privileges, it copies itself in the computer as:
- %APPDATA%\regsvr.exe
- %APPDATA%\setup.ini
It also drops the following file:
It modifies the system registry so that its dropped copies are run every time Windows starts:
Adds value: "Msn Messsenger"
With data: "%APPDATA%\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Adds value: "Yahoo Messsenger"
With data: "%APPDATA%\support\regsvr.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads Via...
Removable and shared folders
For each shared path found in the registry subkey "HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares", Worm:Win32/Nuqel.AE copies itself as the following files:
- "\New folder.exe"
- "\regsvr.exe"
It also copies itself in all folders as "<folder name> .exe". For example, if a folder named "folder" exists, the worm copy has the name "folder.exe".
It also copies its dropped file "<system folder>\setup.ini" as "autorun.inf" in the shared or removable folder to allow automatic execution of the worm copy "regsvr.exe" if Autorun is enabled.
It also adds a registry entry so that a path containing a worm copy is shared in the network:
Adds value: "shared"
With data: "<shared path>\New folder.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
Yahoo! Messenger
Worm:Win32/Nuqel.AE attempts to send an instant message containing a URL to all contacts every 30 minutes.
The URL is determined using a previously-downloaded configuration file (see Payload section below). If the information cannot be located in the configuration file, or if the file cannot be located, this worm sends out an instant message with the following link:
ftp://tlpoeil:yahoogoogle@ftp.members.lycos.co.uk/selfextract.exe
The message is randomly chosen from messages stored in the configuration file. However, if no message data stored in the configuration file, or if the file cannot be located, the message is randomly chosen from any of the following:
- "Aishwarya Rai videos <URL>"
- "cyber cafe scandal visit <URL>"
- "Free mobile games <URL>"
- "Latest video shot of infosys girl <URL>"
- "Nfs carbon download <URL>"
- "Nse going to crash for more <URL>"
- "Regular monthly income by wearing your shorts at the comfort of your home for more info <URL>"
- "stream Video of Nayanthara and Simbu <URL>"
- "World Business news broadcaster <URL>"
Payloads
Downloads arbitrary files
Worm:Win32/Nuqel.AE checks the domain "yahoo.com" every two hours for the following configuration files:
Once any of these files is found, it saves the file as "<system folder>\setting.ini". It then attempts to retrieve files from a URL specified from these configuration files. If a file is found, it is downloaded as a hidden, system, and read-only file and run in the Windows system folder.
Terminates processes
Worm:Win32/Nuqel.AE looks for open windows with the following string on their titles and attempts to close them:
- "[FireLion]"
- "Bkav2006"
- "Registry" (registry editors)
- "System Configuration" (msconfig.exe)
- "Windows mask"
Modifies the system registry
Worm:Win32/Nuqel.AE deletes the following autorun registry entries:
- Deletes autorun entry for the Bkav2006 program:
Deletes values "BkavFw"
In subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
- Deletes autorun entry for the FireLion program:
Deletes value: "IEProtection"
In subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
It also attempts to terminate the process "game_y.exe", which may be used by other malware if it is found running in the computer.
Modifies system settings
Worm:Win32/Nuqel.AE makes a number of changes to system settings by changing the following registry entries:
- Removes the limit on how long scheduled tasks are active when set by the AT command of the Scheduler service:
Adds value: "AtTaskMaxHours"
With data: "0"
To subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
- Disable Windows registry tools such as Registry Editor:
Adds value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
Analysis by Rodel Finones