Threat behavior
Worm:Win32/Nugache.F is a minor variant of Worm:Win32/Nugache.B, and is a worm that spreads via messenger applications, and by exploiting vulnerabilities. Win32/Nugache.F may allow an attacker to remotely control an infected computer, host files via HTTP and/or FTP, and run other programs.
Installation
Worm:Win32/Nugache.F is a worm written in Visual C++. It can spread via email, exploits, and the instant message applications AOL Instant Messenger (AIM) and MSN Instant Messenger (MSNIM).
When run, it will:
Copy itself to <system folder>\mstc.exe using the file time stamp from <system folder>\calc.exe.
Launch the dropped copy and run as a hidden process so that it will not be visible in Task Manager.
Create a mutex named "d3kb5sujs50lq2mr" to prevent multiple copies from running.
Register to run at each Windows start by adding registry values with data:
Adds value: Microsoft Domain Controller
With data: <system folder>\mstc.exe
To subkeys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Create a variety of data within the registry key HKEY_CURRENT_USER\SOFTWARE\GNU
Spreads Via…
Instant Messenger Applications
Worm:Win32/Nugache.F can spread itself via AIM and MSNIM messaging clients using the user's friends/buddy list. It will send a link to a program named one of the following:
DSC1060193.scr
my pic.scr
self nude.scr
Exploit of Vulnerabilities
Worm:Win32/Nugache.F may use exploits for the LSASS and ASN.1 vulnerabilities described in MS04-011 and MS04-007, respectively.
Payload
Backdoor Command & Control
It may connect to an IRC server to allow an unauthorized user to remotely control the machine and host files via HTTP and FTP. It will add exceptions to the Windows firewall for these servers.
Prevention
