Worm:Win32/Nuqel.I is a worm that spreads via removable drives, shared drives, and instant messenger.
Installation
When executed, Worm:Win32/Nuqel.I copies itself to "ssvichosst.exe" in the Windows and Windows System folders with the read-only, system, and hidden file attributes.
It modifies the system registry so that it runs every time Windows starts:
Modifies value: "Shell"
With data: "explorer.exe ssvichosst.exe"
To subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Yahoo Messengger"
With data: "<system folder>\ssvichosst.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Note - <system folder> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
It also drops the file "autorun.ini" in the Windows system folder, which enables this worm to run every time a folder is automatically opened (for example, when a user inserts a removable disk or a CD).
Nuqel.I schedules itself to run at 0900 every week day by creating a scheduled task using the AT command.
Spreads Via...
Shared Drives
Worm:Win32/Nuqel.I enumerates up to 30 shared drives by checking the values within the following registry subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
It then copies itself in the root of the found shared drives as the following files:
- New Folder.exe
- svichosst.exe
It also copies its dropped "autorun.ini" file as "auotorun.inf", setting its attributes to read-only, system, and hidden. It also copies itself as "svichosst.exe" to all available subfolders found in a shared drive.
Removable Drives
Worm:Win32/Nuqel.I copies itself in the root of the found shared drives as the following files:
- New Folder.exe
- svichosst.exe
It also copies its dropped "autorun.ini" file as "auotorun.inf", setting its attributes to read-only, system, and hidden. This file ensures that when a user inserts a removable drive into another system, the worm copies are automatically run. It also copies itself as "svichosst.exe" to all available subfolders found in the removable drive.
Payload
Modifies System Settings
Nuqel.I makes a number of changes to system settings via the following registry modifications:
This last registry modification allows the "New Folder.exe" file to have a folder icon, which can potentially trick a user into double-clicking (and thus executing) the worm copy.
Downloads Arbitrary Files/Updates
The worm checks the following domains for files named setting.nql or setting.xls:
nhatquanglan3.t35.com
nhatquanglan4.t35.com
If found, it saves the file to the System directory as setting.ini. The worm than attempts to retrieve a number of files from a URL specified in setting.ini. Once downloaded the files are dropped to the System directory and executed.
Sends Messages
Every 30 minutes Nuqel.I attempts to send a URL and a message sourced from the previously downloaded file, setting.ini, using Yahoo! Messenger. If this information cannot be located in the downloaded file, or the file itself cannot be located, the worm instead sends out a link to "nhatquanglan1.0catch.com", with one of the following messages:
"E may, vao day coi co con nho nay ngon lam <link>"
"Vao day nghe bai nay di ban <link>"
"Biet tin gi chua, vao day coi di <link>"
"Trang Web nay coi cung hay, vao coi thu di <link>"
"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau? <link>"
"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... <link>"
"Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... <link>"
"Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... <link>"
"Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... <link>"
Terminates Processes
Worm:Win32/Nuqel.I looks for open windows with the following titles and attempts to close them:
"System Configuration"
"Registry"
"Windows Tasks"
"Bkav2006"
"[FireLion]"
It also attempts to terminate the following processes if found running in the system:
Modifies Security Settings
Nuqel.I attempts to remove registry autostart entries for the following security programs:
Analysis by Oleg Petrovsky