Follow:

 

Win32/Nuqel


Microsoft security software detects and removes this threat.

This family of worms can stop some programs from working and download files onto your PC, including other malware.

They spread by copying themselves to network shares and removable drives, such as USB flash drives. They can also spread though instant messages sent via instant messaging clients, such as MSN Messenger. 

Find out ways that malware can get on your PC.  



What to do now

Use the following free Microsoft software to detect and remove this threat:

You should also run a full scan. A full scan might find other, hidden malware.

Be careful when sharing files

Windows has a feature that lets you share files and folders on a network or shared PC. This feature is sometimes abused by malware to spread to other PCs within the network.

You can get more information and tips on how to share files safely from these pages:

You should turn off file sharing until you make sure that all infected PCs have been cleaned of any malware.

Enable the registry editor

This threat might prevent Registry Editor from running. To allow the Registry Editor to run, follow these steps:

  1. Click Start then Run and type cmd to run a command prompt.
  2. In the command prompt, type the following and press Enter:
    reg.exe add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableRegistryTools /t REG_DWORD /d 0 /f
  3. Type exit.
Additional remediation instructions for this threat

This threat might make lasting changes to your PC's settings that won't be restored when it's cleaned. The following links can help change these settings back to what you want:

Get more help

You can also visit our advanced troubleshooting page or search the Microsoft virus and malware community for more help.

If you’re using Windows XP, see our Windows XP end of support page.

Threat behavior

Installation

Win32/Nuqel copies itself to one of the following folders with read-only, hidden and system attributes:

It uses a variable file name, such as "scvhost.exe", "rvhost.exe", "regsvr.exe", or "winhelp.exe".

It changes the following registry entries so that it runs each time you start your PC:

In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Sets value: "Shell"
To data: "explorer.exe <Win32/Nuqel worm copy>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Msn Messsenger"
To data: "<Win32/Nuqel worm copy>"

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Sets value: "Yahoo Messengger"
To data: "<Win32/Nuqel worm copy>"

Win32/Nuqel adds a scheduled task to run the worm every day at 09:00 by using the following command.

  • cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <Win32/Nuqel worm copy>

To maximize the length of the time the worm will remain active, the worm modifies registry data removing time limits on AT tasks.

In subkey: HKLM\SYSTEM\CurrentControlSet\Services\Schedule
Sets value: "AtTaskMaxHours"
To data: "0"

Spreads via...
Network shares and removable drives
 
Win32/Nuqel enumerates shared drives by checking the values within the following registry subkey:
 
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares

It then copies itself in the root of discovered shared drives as the file "New Folder.exe". The worm copies itself to all folders and subfolders as "<folder name>.exe", where "folder name" is the same as the folder present on the infected shared drive. The worm writes one of the copied file paths to the above mentioned registry subkey.

The worm also copies itself to removable drives as the file "New Folder.exe". The worm copies itself to all folders and subfolders as "<folder name>.exe", where "folder name" is the same as the folder present on the infected removable drive.

Chat client Yahoo! Messenger

Win32/Nuqel attempts to send a URL pointing to the malware hosted at a remote server location, and a message sourced from setting.ini (see the Payload section "Downloads data" below) using Yahoo! Messenger. If the worm fails to read from the configuration file, it sends messages containing one of the following texts and a URL pointing to a copy of the worm hosted at a remote server location:

  • Action may not always bring happiness; but there is no happiness without action
  • Aishwarya Rai videos
  • asl please <user id> i am 23 female, delhi (india) <user id> and you?
  • Biet tin gi chua, vao day coi di
  • cyber cafe scandal visit
  • E may, vao day coi co con nho nay ngon lam
  • Free mobile games
  • Happiness is a choice that requires effort at times
  • Happiness is not a destination. It is a method of life
  • happiness is not a destination. it is a method of life url
  • Happy sankranti/pongal
  • hey please help me to test my new cam application bin
  • hey what are you doing please test my new webcam using private application bin
  • I am a strong believer in luck and I find the harder I work the more I have of it
  • If you want truly to understand something, try to change it
  • if you want truly to understand something, try to change it url
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa...
  • Latest video shot of infosys girl
  • Latest video shot of infosys girl
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo...
  • Nfs carbon download
  • now search your google in a hybrid\dynamic way url
  • Nse going to crash for more
  • ok <user id> thats fine
  • Regular monthly income by wearing your shorts at the comfort of your home for more info
  • stream Video of Nayanthara and Simbu
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi...
  • The best way to cheer yourself up is to try to cheer somebody else up
  • The wise man in the storm prays God, not for safety from danger, but for deliverance from fear
  • The wisest mind has something yet to learn
  • the wisest mind has something yet to learn url
  • There is in the worst of fortune the best of chances for a happy change.
  • There is only one way to happiness and that is to cease worrying about things which are beyond the power of our will
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon...
  • Trang Web nay coi cung hay, vao coi thu di
  • Vao day nghe bai nay di ban
  • view my private cam via secured connection bin
  • waiting for you, view my private cam via secured connection bin
  • World Business news broadcaster
Payload

Installs other malware

We have seen this threat install other malware that can monitor what you do on your PC. We detect this component as MonitoringTool:Win32/Ardamax.

Disables Windows utilities

Win32/Nuqel modifies registry data to disable Windows Task Manager and Registry Editor.

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System

Sets value: "DisableTaskMgr"
To data: "1"

Sets value: "DisableRegistryTools"
To data: "1"

Changes Windows settings

Win32/Nuqel disables File Explorer folder options by making the following registry modification:

In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Sets value: "NofolderOptions"
With data: "1"

It can do this for a number of reasons, including stopping you from changing the options to view hidden files and folders.

Downloads data

Win32/Nuqel can download configuration data from a remote server and save the data as the following file:

  • %systemroot%\system32\setting.ini

It can read file locations to be downloaded from the configuration file. It then downloads these files to %SystemRoot%\system32 and runs them.

We have seen it connect to the following servers to download its configuration file:

  • freewebs.com/nhattruongquang/setting.nql
  • freewebs.com/nhattruongquang/setting.xls
  • gototalgo.googlepages.com/setting.ini
  • nhatquanglan2.0catch.com/setting.nql
  • nhatquanglan2.0catch.com/setting.xls
  • rnd009.googlepages.com/setting.ini
  • seeprivatecam.googlepages.com/setting.ini
  • yahoo.com/setting.doc
  • yahoo.com/setting.xls

It also updates itself by checking and downloading the latest version available from the server.

Stops processes and applications

Win32/Nuqel can stop the following processes:

  • Bkav2006.exe
  • cmd.exe
  • game_y.exe
  • HijackThis.exe
  • mmc.exe

It can close application windows that have any of the following text in the window title:

  • Bkav2006
  • System Configuration
  • Registry
  • Windows Task
  • Trung tƒm An ninh m?ng Bkis
  • FireLion

Deletes registry data

Win32/Nuqel can delete the following registry security application subkeys:

  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection
  • HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw

Analysis by Shawn Wang


Symptoms

System changes

The following system changes may indicate the presence of this malware:

  • The presence of the following registry modifications:

    In subkey: HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
    Sets value: "Shell"
    To data: "explorer.exe <Win32/Nuqel worm copy>"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Msn Messsenger"
    To data: "<Win32/Nuqel worm copy>"

    In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
    Sets value: "Yahoo Messengger"
    To data: "<Win32/Nuqel worm copy>"
     
  • An inability to open a command prompt, or run Windows Task Manager and Registry Editor.

Prevention


Alert level: Severe
This entry was first published on: May 19, 2011
This entry was updated on: Dec 02, 2014

This threat is also detected as:
No known aliases