Threat behavior
Win32/Nugache.A@mm takes the following actions:
Copies itself to the Windows system folder as mstc.exe
Modifies the Registry as follows in order to run the worm when Windows is started:
Creates value "Microsoft Domain Controller"
with data: <system folder>\MSTC.EXE
in registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Opens a listening TCP socket on port 8, attempts to connect to an IRC network, and listens for remote commands. Win32/Nugache.A@mm also attempts to connect to a hard-coded list of IP addresses on the same port and adds port exceptions to the Windows firewall to allow its traffic through.
Creates the registry key HKEY_CURRENT_USER\Software\GNU and uses it to store data pertaining to its connection success on port 8.
During its mass-mailing routine, the message body of the Win32/Nugache.A@mm worm is composed based on selections found within the worm's code. Some of the message text includes words or phrases that use strong language or contain racial overtones. The subject lines will be one of the following:
sup
heh
lol
whats up
iight
hey there
hi
here
okay
FW:
k, here
hey
The attachment included with the Win32/Nugache.A@mm e-mail will contain a randomly generated date for the years 2004-2005, additional randomly generated values, and one of the following words:
attachment
documents
backup
forwarded
details
The file extension of the Win32/Nugache.A@mm e-mail attachment will be one of the following:
Example attachment name: "(6)documents[8950-19984]_8-15-2004].scr"
The 'From:' address of the Win32/Nugache.A@mm e-mail is spoofed. The falsified address combines one of the following domains:
- yahoo.com
- hotmail.com
- aol.com
- gmail.com
- hush.com
- comcast.net
The username portion of the 'From:' address contains one of the following names:
- john
- earl
- volcom
- phil
- mike
- seth
- jim
- eric
- jeff
- randy
- jeremy
- misfits
The username may be pre-pended with one of the following:
- lil_
- lil_azn
- emo_
- emo_azn
- azn
The username may also be appended with a number with a number from 1-99999.
Example username: lil_john851@hotmail.com
Win32/Nugache.A@mm retrieves e-mail addresses from infected systems, sending itself to those addresses as described above. The worm ignores e-mail addresses that contain the following strings:
- bug
- gnu
- icrosof
- indow
- upda
- ource
- dmin
- .mil
- .gov
- buse
- inux
- uppor
- spam
- secur
- ccoun
- bmaste
Win32/Nugache.A@mm may also may spread by exploiting certain buffer overrun vulnerabilities and by sending itself AIM and Windows Messenger contacts a link pointing to a copy of the worm.
Prevention
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unknown attachments.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with unknown attachments
Use caution before opening e-mail or IM attachments, even if you know the sender. If you do not know if the specified sender is the actual sender or you suspect that an attachment is not safe, delete the message immediately and run up-to-date antivirus software to check your computer for malicious software.
