Classification

Category :

Malware

Type :

Worm

Aliases :

NiceHello, Worm/NiceHello, I-Worm.Nicehello, W32/Nicehello@MM, W32.Nicehello@mm

Summary

NiceHello is an email worm which uses MSN Messenger contact list to collect email addresses. The worm steals the user's MSN personal login information and sends it to a predefined email address to the virus writer.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Spreading through email

NiceHello collects email addresses from the user's MSN Messenger contact list. Using its own SMTP engine it sends infected messages to those addresses.

The worm has several hardcoded messages that it sends with the infected attachment.

Subject: Codigo fuente
Body: Hola, te mando el codigo fuente que te prometi, esta comprimido;

 ya sabes esto es solo para vos!!. Saludos
Attachment: Codigo.exe
Subject: Mis primeras animaciones
Body: Te mando la primera animacion en flash sobre nuestros amigos;

 espero tus comentarios, recuerda que es solo para vos
Attachment: Animacion.exe
Subject: parche
Body: El parche del programa que me pediste. Cualquier cosa estoy para

 ayudarte. recuerda que es solo para vos
Attachment:
Parche.exe
Subject:
Actualizacion de programa
Body: Recien puedo enviarte la actualizacion, es que tuve mucho trabajo,

 recuerda que es solo para vos
Attachment:
Actualizacion.exe
Subject:
Datos ultimo trimistre
Body: Los datos del ultimo trimestre esta en el archivo adjunto, estan

 comprimidos, recuerda que es solo para vos
Attachment: Datos.exe
Subject:
Presentaciones PowerPoint
Body: Las presentaciones en power point que tenia que mandarte, estan

 comprimidas en el archivo adjunto, recuerda que es solo para vos
Attachment:
Presentaciones.exe
Subject:
ahora el juego va a funcionar
Body: El parche para el juego que mas te gusta, esta comprimido,

 recuerda que es solo para vos
Attachment:
ParcheJuego.exe
Subject:
Fotos ultima fiesta
Body: Hola, como estas, te mando las fotos de la ultima fiesta, por

 cierto tienes una cara!!!. , recuerda que es solo para vos. bye
Attachment:
Fotos.exe
Subject:
Video de la ultima reunion de amigos, recuerda que es solo para vos
Body: Hola, te mando el video de la ultima fiesta, no se ve muy bien

 pero algo es algo, recuerda que es solo para vos
Attachment:
Video.exe
Subject:
Animaciones en flash de nuestros politicos
Body: Mira las animaciones sobre la clase politica del pais, recuerda que

 es solo para vos
Attachment:
Politicos.exe

System infection

When the worm is run on a clean computer it copies itself to one of the following directories according to Windows version:

'c:\windows\system'
'c:\winnt\system32'

This copy of the worm is then added to the registry as

'HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System 64 Driver for Games'

so the worm will be run when Windows starts.