Worm:Win32/Nugache is a worm that spreads via e-mail and messenger applications, and by exploiting vulnerabilities. Win32/Nugache may allow an attacker to remotely control an infected computer, host files via HTTP and/or FTP, and run other programs.
Installation
Worm:Win32/Nugache is a worm written in Visual C++. It can spread via email, exploits, and the instant message applications AOL Instant Messenger (AIM) and MSN Instant Messenger (MSNIM).
When run, it will:
Copy itself to <system folder>\mstc.exe using the file time stamp from <system folder>\calc.exe.
Launch the dropped copy and run as a hidden process so that it will not be visible in Task Manager.
Create a mutex named "d3kb5sujs50lq2mr" to prevent multiple copies from running.
Register to run at each Windows start by adding registry values with data:
Adds value: Microsoft Domain Controller
With data: <system folder>\mstc.exe
To subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Create a variety of data within the registry key HKEY_CURRENT_USER\SOFTWARE\GNU
Spreads Via…
Instant Messenger Applications
Worm:Win32/Nugache can spread itself via AIM and MSNIM messaging clients using the user's friends/buddy list. It will send a link to a program named one of the following:
DSC1060193.scr
my pic.scr
self nude.scr
E-mail
When spreading itself via email, it will send itself to addresses found on the user's machine. It will avoid sending to email addresses containing:
bug
gnu
icrosof
indow
upda
ource
dmin
.mil
.gov
buse
inux
uppor
spam
secur
ccoun
bmaste
It will use the following subjects in the constructed e-mail:
hey
k, here
hey!
FW:
okay
here
hi
hey there
iight
whats up
lol
heh
sup
The email will appear to be from an address that has the following form:
<optional prefix><Name><random number>@<domain>
This address may have 'o', 'X', or 'x' characters throughout it, where the above address properties are composed from the lists below:
<optional prefix>
<Name>
<domain>
yahoo.com
hotmail.com
aol.com
gmail.com
hush.com
comcast.net
Example 'From' e-mail addresses crafted by the worm:
The body of the email will contain a mix of the following components, which may be scrambled:
ass
clown
shit
fag
dick
douche
cake
hat
boat
wad
head
face
wagon
k
ok
here
hey
okay
the file
that thing
that shit
that nigger
the shit
i promised
you like
you wanted
i found
i almost deleted
Example body text crafted by the worm:
The worm is attached to the e-mail message, with a file name picked from the list of file names, and file extensions shown below.
Possible file names (chosen at random):
attachment
documents
backup
forwarded
details
Possible file extensions (chosen at random):
Exploit of Vulnerabilities
Worm:Win32/Nugache may use exploits for the LSASS and ASN.1 vulnerabilities described in MS04-011 and MS04-007, respectively.
Payload
Backdoor Command & Control
It may connect to an IRC server to allow an unauthorized user to remotely control the machine and host files via HTTP and FTP. It will add exceptions to the Windows firewall for these servers.
Additionally, this worm may create a file called %AppData%\FNTCACHE.BIN.
