Content
W32/Nopir
- Type
- Virus
- SubType
- P2P Worm
- Discovery Date
- 04/20/2005
- Length
- 156658 Bytes
- Minimum DAT
- 4474 (04/21/2005)
- Updated DAT
- 4520 (06/23/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 04/29/2005
- Description Modified
- 07/13/2005 4:33 PM (PT)
Tab Navigation
Characteristics
McAfee products detect this worm as 'Generic Del trojan' using 4474 DATs or later.
There are several variants of the virus. The description is a general guide. Newer variants requires the latest DATs for detection and cleaning.
This is a description for a Peer-to-Peer worm, that also deletes MP3 and COM files on the hard drive.
When executed, the worm will try to copies itself into the INCOMING folder of the P2P Software 'EMule' using the filename:
- AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe
It disables the taskmanager, registry editing tools like REGEDIT and hides the Control Panel, by setting these keys in the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System "DisableRegistryTools"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System "DisableTaskMgr"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer "NoControlPanel"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1"
Data: wscript.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2"
Data: regedit.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore "DisableSR"
Data: 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\VxDMon "SystemRestore"
Data: N
It copies itself to:
- c:\Program Files\Projects Visual Studio.NET\Nctrup.exe
- c:\Program Files\Restore\vxst.exe
The next two keys are added, so the worm gets executed each time the system gets booted:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "securw"
Data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Verif"
Data: C:\Program Files\Restore\vxst.exe
Additionally, it also changes these keys:
- HKEY_CLASSES_ROOT\cmdfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\piffile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\regfile\shell\open\command "(Default)"
Old data: regedit.exe "%1"
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\scrfile\shell\open\command "(Default)"
Old data: "%1" /S
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command
Old data: %SystemRoot%\System32\WScript.exe "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
Old data: %SystemRoot%\System32\WScript.exe "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\batfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\inffile\shell\Install\command "(Default)"
Old data: %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\inffile\shell\open\command "(Default)"
Old data: %SystemRoot%\System32\NOTEPAD.EXE %1
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe
It will than delete all MP3 and COM files on the local hard drive. Therefore, the system won't be able to boot again. On Windows NT, 2K and 2K3, you might only see a DOS screen, saying "NTDETECT failed"
Symptoms
- MP3 and COM files deleted.
- System can't boot anymore
- When executed, this dialog gets displayed:
Method of Infection
This worm disguises itself as
- AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe
can be downloaded manually from the EMule P2P network.
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Aliases
- W32.Nopir.A (Symantec)
- W32/Nopir-B (Sophos)
Characteristics
Characteristics -
McAfee products detect this worm as 'Generic Del trojan' using 4474 DATs or later.
There are several variants of the virus. The description is a general guide. Newer variants requires the latest DATs for detection and cleaning.
This is a description for a Peer-to-Peer worm, that also deletes MP3 and COM files on the hard drive.
When executed, the worm will try to copies itself into the INCOMING folder of the P2P Software 'EMule' using the filename:
- AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe
It disables the taskmanager, registry editing tools like REGEDIT and hides the Control Panel, by setting these keys in the registry:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System "DisableRegistryTools"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\System "DisableTaskMgr"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ Policies\Explorer "NoControlPanel"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer "DisallowRun"
Data: 01, 00, 00, 00 - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "1"
Data: wscript.exe - HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun "2"
Data: regedit.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore "DisableSR"
Data: 01, 00, 00, 00 - HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\VxD\VxDMon "SystemRestore"
Data: N
It copies itself to:
- c:\Program Files\Projects Visual Studio.NET\Nctrup.exe
- c:\Program Files\Restore\vxst.exe
The next two keys are added, so the worm gets executed each time the system gets booted:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "securw"
Data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ CurrentVersion\Run "Verif"
Data: C:\Program Files\Restore\vxst.exe
Additionally, it also changes these keys:
- HKEY_CLASSES_ROOT\cmdfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\comfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\piffile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\regfile\shell\open\command "(Default)"
Old data: regedit.exe "%1"
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\scrfile\shell\open\command "(Default)"
Old data: "%1" /S
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command
Old data: %SystemRoot%\System32\WScript.exe "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
Old data: %SystemRoot%\System32\WScript.exe "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\batfile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\exefile\shell\open\command "(Default)"
Old data: "%1" %*
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\inffile\shell\Install\command "(Default)"
Old data: %SystemRoot%\System32\rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %1
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe - HKEY_CLASSES_ROOT\inffile\shell\open\command "(Default)"
Old data: %SystemRoot%\System32\NOTEPAD.EXE %1
New data: C:\Program Files\Projects Visual Studio.NET\Nctrup.exe
It will than delete all MP3 and COM files on the local hard drive. Therefore, the system won't be able to boot again. On Windows NT, 2K and 2K3, you might only see a DOS screen, saying "NTDETECT failed"
Symptoms
Symptoms -
- MP3 and COM files deleted.
- System can't boot anymore
- When executed, this dialog gets displayed:
Method of Infection
Method of Infection -
This worm disguises itself as
- AnyDVD 5.1.0.1 Crack+Keygen By Razor.exe
can be downloaded manually from the EMule P2P network.
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A