Installation
Win32/Nuqel copies itself to one of the following folders with read-only, hidden and system attributes:
It uses a variable file name, such as "scvhost.exe", "rvhost.exe", "regsvr.exe", or "winhelp.exe".
It changes the following registry entries so that it runs each time you start your PC:
In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
To data: "explorer.exe <Win32/Nuqel worm copy>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Msn Messsenger"
To data: "<Win32/Nuqel worm copy>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Yahoo Messengger"
To data: "<Win32/Nuqel worm copy>"
Win32/Nuqel adds a scheduled task to run the worm every day at 09:00 by using the following command.
- cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <Win32/Nuqel worm copy>
To maximize the length of the time the worm will remain active, the worm modifies registry data removing time limits on AT tasks.
In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Sets value: "AtTaskMaxHours"
To data: "0"
Spreads via...
Network shares and removable drives
Win32/Nuqel enumerates shared drives by checking the values within the following registry subkey:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares
It then copies itself in the root of discovered shared drives as the file "New Folder.exe". The worm copies itself to all folders and subfolders as "<folder name>.exe", where "folder name" is the same as the folder present on the infected shared drive. The worm writes one of the copied file paths to the above mentioned registry subkey.
The worm also copies itself to removable drives as the file "New Folder.exe". The worm copies itself to all folders and subfolders as "<folder name>.exe", where "folder name" is the same as the folder present on the infected removable drive.
Chat client Yahoo! Messenger
Win32/Nuqel attempts to send a URL pointing to the malware hosted at a remote server location, and a message sourced from setting.ini (see the Payload section "Downloads data" below) using Yahoo! Messenger. If the worm fails to read from the configuration file, it sends messages containing one of the following texts and a URL pointing to a copy of the worm hosted at a remote server location:
- Action may not always bring happiness; but there is no happiness without action
- Aishwarya Rai videos
- asl please <user id> i am 23 female, delhi (india) <user id> and you?
- Biet tin gi chua, vao day coi di
- cyber cafe scandal visit
- E may, vao day coi co con nho nay ngon lam
- Free mobile games
- Happiness is a choice that requires effort at times
- Happiness is not a destination. It is a method of life
- happiness is not a destination. it is a method of life url
- Happy sankranti/pongal
- hey please help me to test my new cam application bin
- hey what are you doing please test my new webcam using private application bin
- I am a strong believer in luck and I find the harder I work the more I have of it
- If you want truly to understand something, try to change it
- if you want truly to understand something, try to change it url
- Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa...
- Latest video shot of infosys girl
- Latest video shot of infosys girl
- Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo...
- Nfs carbon download
- now search your google in a hybrid\dynamic way url
- Nse going to crash for more
- ok <user id> thats fine
- Regular monthly income by wearing your shorts at the comfort of your home for more info
- stream Video of Nayanthara and Simbu
- Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi...
- The best way to cheer yourself up is to try to cheer somebody else up
- The wise man in the storm prays God, not for safety from danger, but for deliverance from fear
- The wisest mind has something yet to learn
- the wisest mind has something yet to learn url
- There is in the worst of fortune the best of chances for a happy change.
- There is only one way to happiness and that is to cease worrying about things which are beyond the power of our will
- Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?
- Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...
- Trang Web nay coi cung hay, vao coi thu di
- Vao day nghe bai nay di ban
- view my private cam via secured connection bin
- waiting for you, view my private cam via secured connection bin
- World Business news broadcaster
Payload
Installs other malware
We have seen this threat install other malware that can monitor what you do on your PC. We detect this component as MonitoringTool:Win32/Ardamax.
Disables Windows utilities
Win32/Nuqel modifies registry data to disable Windows Task Manager and Registry Editor.
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
Sets value: "DisableTaskMgr"
To data: "1"
Sets value: "DisableRegistryTools"
To data: "1"
Changes Windows settings
Win32/Nuqel disables File Explorer folder options by making the following registry modification:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NofolderOptions"
With data: "1"
It can do this for a number of reasons, including stopping you from changing the options to view hidden files and folders.
Downloads data
Win32/Nuqel can download configuration data from a remote server and save the data as the following file:
- %systemroot%\system32\setting.ini
It can read file locations to be downloaded from the configuration file. It then downloads these files to %SystemRoot%\system32 and runs them.
We have seen it connect to the following servers to download its configuration file:
- freewebs.com/nhattruongquang/setting.nql
- freewebs.com/nhattruongquang/setting.xls
- gototalgo.googlepages.com/setting.ini
- nhatquanglan2.0catch.com/setting.nql
- nhatquanglan2.0catch.com/setting.xls
- rnd009.googlepages.com/setting.ini
- seeprivatecam.googlepages.com/setting.ini
- yahoo.com/setting.doc
- yahoo.com/setting.xls
It also updates itself by checking and downloading the latest version available from the server.
Stops processes and applications
Win32/Nuqel can stop the following processes:
- Bkav2006.exe
- cmd.exe
- game_y.exe
- HijackThis.exe
- mmc.exe
It can close application windows that have any of the following text in the window title:
- Bkav2006
- System Configuration
- Registry
- Windows Task
- Trung tƒm An ninh m?ng Bkis
- FireLion
Deletes registry data
Win32/Nuqel can delete the following registry security application subkeys:
- HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection
- HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw
Analysis by Shawn Wang