Eng
  1. Skip to navigation
  2. Skip to content
  3. Skip to sidebar


P2P-Worm:W32/Nugg


Aliases:


P2P-Worm:W32/Nugg

Malware
P2P-Worm
W32

Summary

A type of worm that spreads over vulnerable Peer-to-Peer (P2P) networks.



Disinfection & Removal

Automatic Disinfection

Allow F-Secure Anti-Virus to disinfect the relevant files.

For more general information on disinfection, please see Removal Instructions.



Technical Details

P2P-Worm:W32/Nugg uses the file-sharing application LimeWire to download malware onto the system. It may also use other file-sharing applications to perform the downloads.


Installation

During installation, the program drops a file with a name created using the following formula:

  • systemdir\[random dll filename]+ "32.dll"

The program then opens the following services and disables them:

  • wscsvc - the Security Center
  • SharedAccess - Windows Firewall/Internet Connection Sharing(ICS)

It will also load the DLLs into the following processes, provided the processes are running:

  • explorer.exe
  • winlogon.exe
  • iexplorer.exe
  • firefox.exe
  • opera.exe
  • chrome.exe

Activity

While active, the worm attempts to connect to the following domains:

  • 85.17.93.190/conn/[...]
  • nolagtime.com/conn/[...]
  • chewinggym.com/conn/[...]

If successfully connected, it will download an XML file. This file contains URLs leading to files that the worm downloads whenever the system matches certain criteria. The downloaded files are encrypted, though the encryption keys are included in the XML file. The files are malicious and include:

  • http://94.75.234.35/data/[...] - Detected as Trojan.Win32.Agent2.crv
  • http://94.75.234.35/thn/[...] - Detected as Trojan-Downloader.WMA.GetCodec.s

If LimeWire is installed on the infected system, it will be used to download the Trojan.Win32.Agent2.crv file. Other file-sharing applications may also perform this function.


Registry

During installation, the program creates the following registry key:

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\["C:\ drive volume info" + "random number"] value = Dllname data = the dropped file
  • value = Startup data = EventStartup

It also modifies the following registry key as the launchpoint

  • SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows value = AppInit_Dlls data = the dropped file






Submit a sample




Wondering if a file or URL is malicious? Submit a sample to our Lab for analysis via the Sample Analysis System (SAS)

Give And Get Advice




Give advice. Get advice. Share the knowledge on our free discussion forum.