Worm:Win32/Nuqel.Q is a worm that attempts to spread by copying itself to removable drives and network shares, and via Internet chat applications. The worm may download arbitrary files, block certain system utilities and lower security on the affected computer.
Installation
When run, Worm:Win32/Nuqel.Q copies itself as the following files with attributes of "read-only", "hidden" and "system":
The worm also drops copies of itself as the following:
%SystemRoot%\scvhost.exe
%SystemRoot%\hinhem.scr
Worm:Win32/Nuqel.Q drops a backup autorun configuration file as "%SystemRoot%\system32\autorun.ini" that is later used to copy to removable drives and network shares to execute the worm.
The registry is modified to run Worm:Win32/Nuqel.Q at each Windows start:
Modifies value: "Shell"
With data: "explorer.exe scvhost.exe"
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Adds value: "Yahoo Messengger"
With data: "%SystemRoot%\system32\scvhost.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
The worm removes the default timeout period for scheduled jobs by modifying the registry as follows:
Modifies value: "AtTaskMaxHours"
With data: "0"
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
A scheduled task (job) is created by the worm to execute the following file every day at 09:00 local time:
%SystemRoot%\system32\blastclnnn.exe
Spreads via…
Network shares
Worm:Win32/Nuqel.Q queries shares listed in the following registry subkey:
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
The worm copies "%SystemRoot%\system32\scvhost.exe" as one of the following to the found share:
New Folder.exe
scvhost.exe
The worm then copies "%SystemRoot%\system32\autorun.ini" to the same share as an Autorun configuration file named "autorun.inf". When the network share is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
The worm then traverses folders or subfolders within the share. It then copies itself to the subfolder using the folder name with the file extension ".EXE" as in the following example:
Removable drives
Worm:Win32/Nuqel.Q copies "%SystemRoot%\system32\scvhost.exe" as one of the following to all removable drives:
New Folder.exe
scvhost.exe
The worm then copies "%SystemRoot%\system32\autorun.ini" to the removable drive as an Autorun configuration file named "autorun.inf". When the removable drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
The worm then traverses folders or subfolders within the removable drive. It then copies itself to the subfolder using the folder name with the file extension ".EXE" as in the following example:
Internet chat applications
Worm:Win32/Nuqel.Q spreads by sending messages based on the downloaded configuration file through Yahoo! Messenger to other contacts. If the worm is unable to read the data file to identify messages, it sends one of following messages and a hyperlink to a user account on the remote site "freewebtown.com" that may host malware:
"E may, vao day coi co con nho nay ngon lam"
"Vao day nghe bai nay di ban"
"Biet tin gi chua, vao day coi di"
"Trang Web nay coi cung hay, vao coi thu di"
"Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?"
"Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa…"
"Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi…"
"Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo…"
"Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon…"
Worm:Win32/Nuqel.Q also spreads itself by sending a copy of the file "%SystemRoot%\hinhem.scr" through Internet chat applications having a window title of "- Instant Message".
Payload
Downloads arbitrary files
The worm attempts to download configuration files that instruct the worm to retrieve other executables from specified remote servers. The configuration files are downloaded from one of the following remote servers and saved as "%SystemRoot%\system32\setting.ini".
setting3.yeahost.com
setting3.9999mb.com
freewebs.com/setting3
Worm:Win32/Nuqel.Q reads remote file locations from the downloaded configuration file, downloads the specified files to the folder "%SystemRoot%\system32" and executes them.
Terminates processes
Worm:Win32/Nuqel.Q tries to terminate the following processes:
game_y.exe
Bkav2006.exe
mmc.exe
HijackThis.exe
cmd.exe
The worm tries to close application windows that have following titles:
Worm:Win32/Nuqel.Q attempts to delete the following registry values to prevent related applications from running at Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection
Changes Windows settings
Worm:Win32/Nuqel.Q disables Windows Task Manager and Registry Editor by modifying registry data. It also changes folder options in Windows Explorer.
Modifies value: "DisableTaskMgr"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: "DisableRegistryTools"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
The worm disables Explorer folder options by modifying registry data.
Modifies value: "NofolderOptions"
With data: "1"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Analysis by Shawn Wang
