View my documents ()
 Home > Support > Global Security Advisor 

Virus Detail

Win32/Nuqel.E

Date Published:
4 Oct 2007

Last Updated:
4 Oct 2007

Threat Assessment

Overall Risk:   Low
Wild:  Low
Destructiveness:  Medium
Pervasiveness:  Medium

Characteristics

Type : Worm

Category : Win32

Also known as:  WORM_IMAUT.E (Trend), W32.Imaut.N (Symantec), Worm:Win32/Sohanad.F (MS OneCare), Troj/Tiotua-D (Sophos), W32/YahLover.worm (McAfee)

Immediate Protection Info

 
SignatureProductRemoval Instructions
30.4.3400
CA Antivirus 2007
30.4.3400
eTrust Antivirus v7/8*
7.x/3400
eTrust EZ Antivirus 7.x
30.4.3400
Vet 7
 
 
Description
Method of Infection
Method of Distribution
Payload
Additional Information
 

Description

Win32/Nuqel.E is a worm that spreads via network shares and sends messages via the chat client Yahoo! Messenger. It also can obfuscate its presence on an affected system and terminate processes.

Back to top

Method of Infection

When executed, Win32/Nuqel.E copies itself to %Windows%\SVICHOSSST.exe. It also creates a copy of itself at %System%\SVICHOSSST.exe with the System, Hidden and Read-Only attributes set, and creates another file at %System%\autorun.ini.


The worm adds registry entries to ensure it executes on every Windows startup:


HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe SVICHOSSST.exe"
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Yahoo Messengger = "%System%\SVICHOSSST.exe"


It also modifies the registry in order to disable Registry Editor and Task Manager:


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableTaskMgr = 1 
HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = 1 


Additionally, the worm sets this registry entry to remove the Folder Options from Windows Explorer menus and the Control Panel:


HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoFolderOptions = 1


Nuqel also sets the below registry entry and creates the scheduled task %Windows%\Tasks\At1.job. This ensures that the copy of the worm located at %System%\SVICHOSSST.exe is executed every day at 9:00 AM:


HKLM\SYSTEM\CurrentControlSet\Services\Schedule\AtTaskMaxHours = 0


It deletes all other scheduled jobs created by the 'AT' command (NetScheduleJobAdd).


Note: %System% and %Windows% are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP and Vista is C:\Windows\System32. The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP and Vista is C:\Windows.


Back to top

Method of Distribution

Via Network Shares

Nuqel spreads by enumerating shares listed in:


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares


and copying itself to each found share, using the filenames "New Folder.exe" and "SVICHOSSST.exe". It also copies the earlier created file at %System%\autorun.ini as "autorun.inf". The worm then traverses the share and copies itself into each subfolder as "<folder name>.exe".


Win32/Nuqel.E may also create the following registry entry, where <location> is one of the infected shares:


HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\WorkgroupCrawler\Shares\share = "< location >\New Folder.exe"


The worm also attempts to infect all removable drives in the same way.


Back to top

Payload

Backdoor Functionality

Win32/Nuqel.E regularly connects to a host site from which it downloads settings to %System%\setting.ini. Via downloaded settings, the worm can be:


  • instructed to point to another host (the default host is http://gaig0isaigon.t35.com)
  • instructed to download and execute worm updates
  • provided with URL and text messages (later used to send messages via Yahoo! Messenger)
Attempts to Send Messages via Yahoo! Messenger

If Yahoo! Messenger is installed on the affected machine, the worm attempts to use it to periodically send messages. It randomly picks a messsage from a possible 10 templates. Each message contains text and a URL (by default, http://nhatquanglan1.0catch.com) that can be updated. The default messages are:


  • E may, vao day coi co con nho nay ngon lam <URL >
  • Vao day nghe bai nay di ban <URL>
  • Vao day nghe bai nay di ban <URL >
  • Biet tin gi chua, vao day coi di <URL >
  • Trang Web nay coi cung hay, vao coi thu di <URL >
  • Toi di lang thang lan trong bong toi buot gia, ve dau khi da mat em roi? Ve dau khi bao nhieu mo mong gio da vo tan... Ve dau toi biet di ve dau?  <URL >
  • Khoc cho nho thuong voi trong long, khoc cho noi sau nhe nhu khong. Bao nhieu yeu thuong nhung ngay qua da tan theo khoi may bay that xa... <URL >
  • Tha nguoi dung noi se yeu minh toi mai thoi thi gio day toi se vui hon. Gio nguoi lac loi buoc chan ve noi xa xoi, cay dang chi rieng minh toi... <URL >
  • Loi em noi cho tinh chung ta, nhu doan cuoi trong cuon phim buon. Nguoi da den nhu la giac mo roi ra di cho anh bat ngo... <URL >
  • Tra lai em niem vui khi duoc gan ben em, tra lai em loi yeu thuong em dem, tra lai em niem tin thang nam qua ta dap xay. Gio day chi la nhung ky niem buon... <URL >
Terminates Processes

Periodically, Win32/Nuqel.E terminates "cmd.exe" and "game_y.exe". It also:


  • Closes any window if its title starts with "System Configuration", "Registry" or "Windows Task"
  • Closes any window if its title starts with "Bkav2006" and deletes the following registry entry:
    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BkavFw
  • Closes any window if its title starts with "[FireLion]", deletes the following registry entry and reboots the machine:
    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\IEProtection

Back to top

Additional Information

Win32/Nuqel.E changes the affected user's Internet Settings with the following registry modifications:


Sets:
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\MigrateProxy = 1 
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable = 0 
HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyEnable = 0 


Deletes:
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyServer 
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\ProxyOverride  
HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\AutoConfigURL


Analysis by Sonia Sazonova


Back to top

Buy

Buy CA Anti-Virus

Large Enterprise
Small and Medium Business
Home and Home Office

CA Global Security Advisor

Current threat condition: Low
Low
Documents and Tools
Find Threats
Viruses Spyware
Vulnerabilities All

Security Resources

Analyst Reports

Gartner Magic Quadrant for Web Access Management, 2H07
Finding a Comprehensive Password Management Solution: The Initial Piece of the Identity and Access Management Puzzle (237 KB PDF) 
More

Insights

On-Demand Webcasts

Achieving Compliance With CA Security Management Solutions for Mainframe
Cross-Platform Identity and Access Management From The Mainframe to The Web: Integrating z/Series Security
More

Podcasts

West Corporation Align's IT Resources and Manages Growth
Security IAM Series — Security and Compliance for Mainframe IAM

Press

CA Named a Leader in Data Center Automation by Independent Research Firm
CA Security Business Leader Dave Hansen to Keynote at RSA Conference on Evolving Role of the Security Professional
More

News

Privacy alert: Cookie variants can be used to skirt blockers, anti-spyware tools
Beacon's user tracking extends beyond Facebook, CA says
More
 
 
Page Tools