Nugache Worm

You are here : Home→Topics→Latest Threats→Nugache Worm

Antivirus Software Essentials
Free Virus Removal Tools Top Windows Antivirus Top Spyware Scanners Top Internet Scams Email Hoaxes and Myths

Antivirus Offers
AntiVirus Coupon AntiVirus Gold Hardware AntiVirus Windows 95 AntiVirus AntiVirus McFee

Topics
Antivirus Reviews Free Antivirus Software Spyware / Adware Latest Threats Internet Scams Security Tips Viruses Explained Types of Viruses

Buyer's Guide
Gifts for Geeks and Gamers Antivirus Software for Windows Security Books for Home Users Antivirus Software Review

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

Latest Threats

Nugache Worm

Written by lifang

February 20, 2008 15:14

Name: Nugache Also known as: W32.Nugache.A@mm (Symantec), W32/Nugache@MM (McAfee), Backdoor.Win32.Sdbot.aqy (Kaspersky), Nugache.A@mm Type: Email, P2P, and IM worm

Discovered: April 30, 2006 Method of Propagation: The Nugache worm can spread via email, using a variety of subject lines and message text from lists contained in the worm's code. Some of the strings contain strong language and racist tones. The attachment carried by the Nugache email may be named one of the following:

attachment
documents
backup
forwarded
details

The attachment will have one of the following extensions:
.scr
.scp.scq.scr The Nugache worm may also spread via AOL Instant Messenger or Windows Messenger. Nugache sends IM contacts a link pointing to a copy of itself. According to antivirus vendor McAfee, the names of the files pointed to may include one of the following:

self nude.scr
my pic.scr Additionally, Nugache spreads to unpatched computers by exploiting various older vulnerabilities. According to antivirus vendors McAfee and Symantec, these may include:

ASN.1 Library Buffer Overflow Vulnerability (MS04-007)
LSASS Buffer Overrun Vulnerability (MS04-011)
RPC/DCOM Vulnerability (MS03-026) The Nugache worm opens a backdoor on TCP port 8, attempts to connect to a specific IRC server, and awaits remote commands from the worm's author. According to antivirus vendor Symantec, the IRC backdoor is capable of being used for any of the following:

Perform a denial of service attack
Access an FTP server
Run as Web server Symptoms of Infection:
Unauthorized traffic on TCP port 8.

System Impact:
The Nugache worm creates a file named 'mstc.exe' in the Windows system directory. A second file, named 'ftncache.bin' will be created in the user's application data directory.

In order to run when Windows is started, the Nugache worm modifies the HKLM\..\Run key, adding the following value:

"Microsoft Domain Controller" = "%sysdir%\MSTC.EXE"
where %sysdir% is the path to the user's Window system directory.

Note: The exact name of the Windows directory and System directory may vary depending on the operating system. By default under Windows XP, this path will be C:\Windows\System32\.

Removal Notes:
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.