Worm:Win32/Nuqel.AS is an AutoIT script worm that spreads by copying itself to local and removable drives, and network shares. It may also send messages to contacts via Yahoo Messenger.
Installation
When this worm is run, it drops an Autorun file, and copies of itself, to the following locations:
Next, the system file attributes are set as 'ReadOnly', 'System' and 'Hidden' for the following files:
The registry is modified to run this copy of the worm at each Windows start.
Modifies value: Shell
With data: "Explorer SSVICHOSST.exe"
In subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Yahoo Messengger"
With data: "<system folder>\SSVICHOSST.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Win32/Nuqel.AS may delete all scheduled jobs programmatically, and then schedule a job to run the copy of the worm '<system folder>\SSVICHOSST.exe' each day at 09:00.
This worm may also download configuration data files from one of two Web domains that instructs Sohanad to retrieve other programs from links provided. The following domains may be involved in the transaction:
-
nhatquanglan3.t35.com
-
nhatquanglan4.t35.com
Files retrieved are saved as <system folder>\setting.ini.
Spreads Via…
Removable Drives & Network Shares
For each removable drive or network share found, this worm attempts to perform the following actions:
-
Copies '%windir%\SSVCIHOST.exe' as '<share root>:\New Folder.exe'.
-
Copies '<system folder>\SSVCIHOST.exe' as '<share root>:\SSVCIHOST.exe'.
-
Copies '<system folder>\autorun.ini' as '<share root>:\autorun.ini', maintaining system file attributes of the copied file as 'ReadOnly', 'System' and 'Hidden'.
For each subfolder found in each removable drive, or network share, Win32/Nuqel.AS copies '%windir%\SSVCIHOST.exe' as '<share subfolder name>.exe', recursively.
Note: The file 'autorun.inf' is commonly used to execute programs via Windows AutoRun (or AutoPlay) feature when loading CD-ROMs or mounting removable drives. It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they may be used by legitimate programs and installation CDs.
Yahoo Messenger
Win32/Nuqel.AS reads data from a downloaded configuration data file named 'setting.ini'. The data file may contain the following message texts in Vietnamese:
E may, vao day coi co con nho nay ngon lam [url]
Vao day nghe bai nay di ban [url]
Vao day nghe bai nay di ban [url]
Biet tin gi chua, vao day coi di [url]
Trang Web nay coi cung hay, vao coi thu di [url]
Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? [url]
Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... [url]
Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... [url]
Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... [url]
Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... [url]
This worm may randomly select one of the messages and use it to set the status of a running Yahoo Messenger chat client. It could then send messages to contacts of the client containing the same message text, and a URL linking to a malicious Web site that attempts to compromise visitor's machines using exploit code.
Payload
Modifies System Settings
This worm may disable the Windows utilities "Task Manager" or "Registry Editor" by modifying registry data.
Modifies value: DisableTaskMgr
With data: "1"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: DisableRegistryTools
With data: "1"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Win32/Nuqel.AS may disable the "Folder Options" dialogue box by modifying registry data.
Modifies value: NofolderOptions
With data: "1"
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Win32/Nuqel.AS runs an infinite loop that performs the following actions.
-
Closes any application window containing one of the following strings:
'System Configuration'
'Registry'
'Windows Task'
-
Closes all console windows
-
Closes any application window containing the string 'Bkav2006', and deletes a registry value:
Deletes value: "BkavFw"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
For any application window containing the string '[FireLion]', deletes a registry value and then restarts the computer:
Deletes value: "IEProtection"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
-
Infects removable drives as mentioned above in "Spreads Via…" section
-
At two hour intervals:
-
refresh '<system folder>\setting.ini' by updating from one of two Web domains
nhatquanglan3.t35.com
nhatquanglan4.t35.com
-
kill a running process named 'game_y.exe', if it exists
-
At 30 minute intervals, perform the Yahoo Messenger spreading routine as mentioned above in "Spreads Via…" section
Analysis by Cristian Craioveanu
