Threat behavior
Worm:Win32/Nuqel.AF is a worm that spreads by copying itself to removable drives. It also modifies various computer settings, such as disabling System Registry tools, hiding files and folders, and terminating processes.
Installation
Worm:Win32/Nuqel.AF drops a copy of itself as one of the following files:
%AppData%\lsass.exe
OR
%AppData%\Thumbs.bd.exe
Note 1 - %APPDATA% refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System folder for Windows 2000 and NT is C:\Documents and Settings\<user>\Application Data; and for XP, Vista, and 7 is C:\Users\<user>\AppData\Roaming.
Note 2 - User should also note that a legitimate file exists that is also named "lsass.exe", and is installed by default in the Windows system folder.
The worm modifies the system registry so that its copy automatically starts every time Windows starts or when the dropped JPG file ("a.s.k.jpg") is opened:
Adds value: "AASSKK2"
With data: "%AppData%\lsass.exe"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Spreads via...
Removable drives
Worm:Win32/Nuqel.AC drops a copy of itself in the root folder of all removable drives using the following file names:
ask2.exe
a.s.k.jpg.exe
Worm:Win32/Nuqel.AC then writes an autorun configuration file named "autorun.inf" pointing to one of the files listed above. When the removable or networked drive is accessed from another computer supporting the Autorun feature, the malware is launched automatically.
It also drops a clean image file named "a.s.k.jpg":
Payload
Modifies computer settings
Worm:Win32/Nuqel.AC makes the following registry modifications:
- To hide hidden files:
Adds value: "CheckedValue"
With data: "2"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\SuperHidden
- To disable System Registry Tools:
Adds value: "DisableRegistryTools"
With data: "1"
To subkey: HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
- To hide file extensions:
Adds value: "CheckedValue"
With data: "2"
To subkey: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Folder\HideFileExt
Terminates processes
Worm:Win32/Nuqel.AC also attempts to terminate the following process:
- Regedit.exe
- MSConfig.exe
- Antivirus A.S.K.exe
- RUN.exe
Analysis by Lena Lin
Prevention
