Worm:Win32/Nhatq is a worm that copies itself to logical and removable drives, disables Task Manager and changes system settings.
Installation
When this worm is run, it copies itself to the Windows and Windows system folders as 'rvhost.exe'. Next, the worm registers itself to run at each Windows start.
Adds value: Yahoo Messengger
With data: <system folder>\rvhost.exe
To subkey: HKEY_CURRENT_USER\Software\Microsofot\Windows\CurrentVersion\Run
Modifies value: Shell
With data: explorer.exe rvhost.exe
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon
In addition, Win32/Nhatq attempts to create a Windows task job that runs the worm at 9 am every day of the week, by running a Windows shell command instruction:
cmd.exe /C AT /delete /yes
cmd.exe /C AT 09:00 /interactive /EVERY:m,t,w,th,f,s,su <system folder>\RVHOST.exe
Win32/Nhatq may attempt to download a configuration data file as <system folder>\settings.ini from the domain 'nhatquanglan2.0catch.com'.
Spreads Via…
Logical & Removable Drives
This worm will copy itself to logical and removable drives as 'new folder.exe'. When a user mistakenly opens what appears to be a new folder, the worm will execute and infect the local machine.
Payload
Modifies System Settings
The worm modifies the registry to change Windows system settings, such as disabling folder options, and disabling Windows Task Manager. Win32/Nhatq alters the registry as listed below.
Modifies value: NofolderOptions
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
Modifies value: DisableTaskMgr
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
Modifies value: AtTaskMaxHours
With data: 0
In subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Schedule
Modifies value: GlobalUserOffline
With data: 0
In subkey: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings
Lastly, the worm may add an additional registry value
Adds value: shared
With data: \new folder.exe
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Explorer\WorkgroupCrawler\Shares
