WORM_NYXEM.E

By sm | October 11, 2006

Installation and Autostart Techniques

Upon execution, this worm drops and opens a non-malicious .ZIP archive named SAMPLE.ZIP in the Windows system folder. It then opens the said file in an attempt to mask its malicious routines.

It also drops several files into specified locations, as follows:

• %Root%\Temp.htt
• %System%\scanregw.exe
• %System%\Update.exe a
• %System%\Winzip.exe
• %System%\WINZIP_TMP.EXE
• %Windows%\Rundll16.exe
• %Windows%\WINZIP_TMP.EXE

(Note: All the dropped .EXE files are copies of this worm. %Root% is the root folder, usually C:\. %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003. %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

It creates the following registry entry to ensure its automatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ScanRegistry = “scanregw.exe /scan”

Note that on systems running on Windows 98, the aforementioned registry entry is modified from the original value, ScanRegistry = “%Windows%/scanregw.exe /autorun”, and needs to be restored.

On systems running on Windows 2000, XP, and Server 2003, it drops a copy of itself as WINZIP QUICK PICK.EXE in the Windows startup folder. The said routine serves as another autostart technique.

After performing the said routine, this worm deletes the file C:\Documents and Settings\All Users\Start Menu\Programs\WinZip Quick Pick.lnk, if present on the system.

On Windows NT, 2000, XP, and Server 2003, it also creates a scheduled task using Windows Task Scheduler to execute the dropped copy on the 59th minute of every hour after it is dropped. It creates .JOB files in the %Windows%\Tasks folder to create a scheduled task.

This worm also modifies the DESKTOP.INI. The said modification enables this worm to execute the dropped file, TEMP.HTT every time a folder or a drive, including a floppy drive, is accessed. It then drops the two mentioned files, along with a copy of itself as WINZIP_TMP.EXE into every available folder or drive, also including floppy drives. The attributes of the said files are set to Hidden in an attempt to avoid easy detection.

Other Registry Modification

This worm hides files with both System and Read-only attributes by modifying the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = “dword:00000000″

(Note: The default value of the said entry is “dword:00000001″.)

Propagation via Email

This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It can then send email messages without using mailing applications, such as Microsoft Outlook.

The email message it sends out has the following details:

Technorati Tags: WORM_NYXEM.E

Stumble it!

Topics: Security & Antivirus Talk |

« WORM_ANIG.A | Home | Google buys YouTube for $1.65bn »