Content

W32/Nugache@MM

Type
Virus
SubType
Worm
Discovery Date
04/30/2006
Length
177,152 Bytes
Minimum DAT
4752 (05/01/2006)
Updated DAT
5508 (01/27/2009)
Minimum Engine
5.1.00
Description Added
04/30/2006
Description Modified
05/01/2006 9:16 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This worm is an IRC backdoor with the ability to propagate via the following channels:

  • email
  • network shares
  • vulnerabilities
  • AOL instant messenger

Installation

When run, the worm copies itself to the system folder on the victim machine:

  • %WinDir%\SYSTEM32\MSTC.EXE
  • %UserProfile%\APPLICATION DATA\FNTCACHE.BIN

System startup is hooked via addition of the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Microsoft Domain Controller" = "MSTC.EXE"

Once running, the worm listens on TCP port 8. This port is used for P2P communication between bots.

The worm creates the following Registry key in order to store various pieces of data:

  • HKEY_CURRENT_USER\Software\GNU

Remote Access Functionality

Once running the worm provides backdoor functionality on the victim machine. Functionality includes (but is not limited to):

  • launch denial of service attack
  • download and execute remote file
  • run FTP server

Symptoms

  • Victim machine listening on TCP port 8 (bot P2P network)
  • Outgoing traffic to several IP addresses (carried within the worm) to TCP port 8 will be seen from the victim machine

 

Method of Infection

Email Propagation

The worm contains its own SMTP engine to generate email messages and send itself to recipient email addresses harvested from the victim machine.

The attachment filename will be one of the following:

  • details
  • forwarded
  • backup
  • documents
  • attachment

with one of the following file extensions:

  • .scr
  • .scp.scq.scr

The message body and subject are constructed from various strings carried with the body.

As with other bot families, the worm will not email itself to any email address containing one of several substrings it carries within its body (typically related to law enforcement or security companies).

Messaging Propagation

This is still under investigation, but initial analysis suggests the worm will spread through Windows Messenger and AOL Instant Messenger by sending messages containing a link to itself on the victim machine. An enticing filename is used within this message, for example:

  • self nude.scr
  • my pic.scr

Propagation through Vulnerabilities

The worm is capable of propagating through system vulnerabilities as per other IRC bot families. Vulnerabilities include (but are not limited to):

  • DCOM RPC vulnerability (MS03-026)
  • LSASS vulnerability (MS04-011)

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This detection is for a family of worms that propagate through email, Instant Messaging, network shares and vulnerabilities. The malware also provides backdoor functionality to the hacker - much akin to other IRC bot families (W32/Sdbot.worm).

Aliases

  • W32.Nugache.A@mm (Symantec)
  • Backdoor.Win32.Sdbot.aqy (Kaspersky)

Characteristics

Characteristics -

This worm is an IRC backdoor with the ability to propagate via the following channels:

  • email
  • network shares
  • vulnerabilities
  • AOL instant messenger

Installation

When run, the worm copies itself to the system folder on the victim machine:

  • %WinDir%\SYSTEM32\MSTC.EXE
  • %UserProfile%\APPLICATION DATA\FNTCACHE.BIN

System startup is hooked via addition of the following Registry key:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run "Microsoft Domain Controller" = "MSTC.EXE"

Once running, the worm listens on TCP port 8. This port is used for P2P communication between bots.

The worm creates the following Registry key in order to store various pieces of data:

  • HKEY_CURRENT_USER\Software\GNU

Remote Access Functionality

Once running the worm provides backdoor functionality on the victim machine. Functionality includes (but is not limited to):

  • launch denial of service attack
  • download and execute remote file
  • run FTP server

Symptoms

Symptoms -

  • Victim machine listening on TCP port 8 (bot P2P network)
  • Outgoing traffic to several IP addresses (carried within the worm) to TCP port 8 will be seen from the victim machine

 

Method of Infection

Method of Infection -

Email Propagation

The worm contains its own SMTP engine to generate email messages and send itself to recipient email addresses harvested from the victim machine.

The attachment filename will be one of the following:

  • details
  • forwarded
  • backup
  • documents
  • attachment

with one of the following file extensions:

  • .scr
  • .scp.scq.scr

The message body and subject are constructed from various strings carried with the body.

As with other bot families, the worm will not email itself to any email address containing one of several substrings it carries within its body (typically related to law enforcement or security companies).

Messaging Propagation

This is still under investigation, but initial analysis suggests the worm will spread through Windows Messenger and AOL Instant Messenger by sending messages containing a link to itself on the victim machine. An enticing filename is used within this message, for example:

  • self nude.scr
  • my pic.scr

Propagation through Vulnerabilities

The worm is capable of propagating through system vulnerabilities as per other IRC bot families. Vulnerabilities include (but are not limited to):

  • DCOM RPC vulnerability (MS03-026)
  • LSASS vulnerability (MS04-011)

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A