Worm:MSIL/Nepinseft.A is a worm that spreads via logical drives and steals sensitive information from the affected user's computer.
Installation
Worm:MSIL/Nepinseft.A may drop the following files:
- %TEMP%\U&P.txt
- %TEMP%\Stub.exe - detected as Worm:MSIL/Nepinseft.B
- %TEMP%\swhost.exe - detected as Worm:MSIL/Nepinseft.A
- %TEMP%\TheShattering-of-RIFINmovie.exe - detedted as Worm:MSIL/Nepinseft.A
- %TEMP%\Sys32\New PC Infected <computer_name>.html
- %TEMP%\Sys32\Passwords of <computer_name>.html
- %TEMP%\Sys32\MasterKey Logs of <computer_name><DashDate>.html
- %TEMP%\Sys32\MasterKey Screenshot of <computer_name><DashDate>.jpeg
- %USERPROFILE%\Templates\Downloaded.exe
Where <computer_name> is the name of the computer, and <DashDate> is a formatted timestamp with dashes. For example, if the computer name was "Mikey" and the date was 14th December 2010, the following files may be created:
- %TEMP%\Sys32\MasterKey Logs of Mikey 12-14-2010---9-33-14---PM.html
- %TEMP%\Sys32\MasterKey Screenshot of Mikey 12-14-2010---9-33-14---PM.jpeg
Worm:MSIL/Nepinseft.A may make the following changes to the registry in order to ensure its copy executes at each system start:
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion
Sets value: "M File"
With data: "<full path to initial file>"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run\
Sets value: "WindowsSoundDrivers"
With data: "%TEMP%\TheShatterinf-of-RIFINmovie.exe"
In subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Sets value: "Hidden"
With data: "true"
Spreads via…
Logical drives
Worm:MSIL/Nepinseft.A looks for all logical drives on the system that do not contain the %Program Files% directory. When found, the worm copies itself as "System32.exe" to the root of the targeted drive and creates an "autorun.inf" file that specifies "System32.exe". When the drive is accessed from a computer supporting the Autorun feature, the worm is launched automatically.
Payload
Steals sensitive information
Worm:MSIL/Nepinseft.A steals sensitive information from the affected user's computer, and then sends this data via email or File Transfer Protocol (FTP) to a remote attacker. This information is stored in the %TEMP% directory in HTML files that the worm creates.
In the wild, we have observed the worm stealing the following information:
-
Machine name
-
Operating system details
-
User name
-
System Root details
-
Windows key
-
Credentials stored by Firefox
-
Credentials stored by CoreFTP
-
Credentials from visited pages in Internet Explorer
-
Credentials for:
-
IMVU
-
No-IP
-
Windows Live Messenger
-
DynDNS
-
SmartFTP
-
FlashFXP
-
Steam’s Half-Life
-
FileZilla
-
Pidgin
-
FTP Commander
-
Call of Duty 4
The worm also takes screenshots of the user's system, and stores them in the %TEMP% directory under the name:
<computer_name><current_time>.jpeg
Deletes files
In the wild, we have observed Worm:MSIL/Nepinseft.A deleting the following files:
- %APPDATA%\Opera\Opera\wand.dat
- %ProgramFiles%\Steam\config\SteamAppData.vdf
- %SteamDirectory%\ClientRegistry.blob
Terminates processes
Worm:MSIL/Nepinseft.A may terminate the following processes:
- Task Manager
- MS Config
- RegEdit
Analysis by Michael Johnson
