微软 MISS 第一个 | 第二个提示: Worm: Win32/Nuj.A
Threat behavior
Worm:Win32/Nuj.A is a worm that copies itself to fixed, removable or network drives. Some variants of this worm may also terminate antivirus related-processes.
Installation
When run, Win32/Nuj.A may drop a copy of itself as '<system folder>\jun.exe', and then modify the registry to execute its copy at each Windows start.
Adds value: "jun"
With data: "<system folder>\jun.exe"
To subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Next, the worm opens another window showing the directory where the malware was executed. This action is a trick to make a user believe the drive was actually opened, instead of the malware being executed. It may also drop the following non-malicious data files:
<system folder>\oeminfo.ini - configuration file
<system folder>\oemlogo.bmp - picture file
Lastly, the worm modifies the file attributes of the dropped data files to 'read-only', 'system', 'hidden' and 'archive'.
Spreads Via…
Fixed, Removable & Network Drives
Win32/Nuj attempts to copy itself to drives, either fixed, removable or networked, on the affected machine. The worm copies itself as 'jun.exe'.
Upon copying itself to a drive, the worm creates a file named 'autorun.inf' in the root of the drive.
The autorun.inf file contains execution instructions for the operating system, which are invoked when the drive is viewed using Windows Explorer.
It should be noted that autorun.inf files on their own are not necessarily a sign of infection, as they are used by legitimate programs and installation CDs.
Payload
Disables Viewing Hidden Folders
Win32/Nuj may disable viewing hidden file folders by modifying registry data.
Modifies value: CheckedValue
With data: "0"
In subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\
Explorer\Advanced\Folder\Hidden\ShowAll
Terminates Processes
Some variants of this worm may terminate the following processes related to antivirus software:
ravmon.exe
kav.exe
avp.exe
Downloads and Executes Arbitrary Files
Other variants connect to remote sites to download arbitrary files, including updates or additional components.
Analysis by Elda Dimakiling
Prevention
Take these steps to help prevent infection on your computer.
Top |