Win32/Agent.NCU [Threat Name] go to Threat

Win32/Agent.NCU [Threat Variant Name]

Category virus,worm
Size 46849 B
Detection created Aug 21, 2006
Detection database version 2054
Aliases Email-Worm.Win32.Mydoom.bq (Kaspersky)
  Trojan.Horse (Symantec)
  W32/Mydoom.gen@MM (McAfee)
Short description

Win32/Agent.NCU is a worm that spreads via e-mail. The file is run-time compressed using UPX .

Installation

When executed, the worm copies itself into the %windir% folder using the following name:

  • trayicons.exe

The following file is dropped in the same folder:

  • windisk.dll (33792 B)

The following Registry entries are set:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­exefile\­shell\­open\­command]
    • "(Default)" = ""%windir%\­trayicons.exe" exec "%1" %*"
  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Classes\­scrfile\­shell\­open\­command]
    • "(Default)" = ""%windir%\­trayicons.exe" exec "%1" /S"

The following Registry entries are created:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­SYSTEM]
    • "DisableTaskMgr" = 0
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Policies\­SYSTEM]
    • "DisableRegistryTools" = 1
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­DiskCheck]

The worm loads and injects the windisk.dll library into the following processes:

  • explorer.exe
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .adb
  • .asp
  • .dbx
  • .htm
  • .php
  • .pl
  • .sht
  • .tbb
  • .txt
  • .wab

The worm uses the addresses found in Windows Address Book, too.


Addresses containing the following strings are avoided:

  • .edu
  • .gov
  • .mil
  • abuse
  • accoun
  • acketst
  • admin
  • anyone
  • arin.
  • avp
  • berkeley
  • borlan
  • bsd
  • bsd
  • bugs
  • ca
  • certific
  • contact
  • example
  • feste
  • fido
  • foo.
  • fsf.
  • gnu
  • gold-certs
  • google
  • gov.
  • help
  • hotmail
  • iana
  • ibm.com
  • icrosof
  • icrosoft
  • ietf
  • info
  • inpris
  • isc.o
  • isi.e
  • kernel
  • linux
  • listserv
  • math
  • me
  • mit.e
  • mozilla
  • msn.
  • mydomai
  • no
  • nobody
  • nodomai
  • noone
  • not
  • nothing
  • ntivi
  • page
  • panda
  • pgp
  • postmaster
  • privacy
  • rating
  • rfc-ed
  • ripe.
  • root
  • ruslis
  • samples
  • secur
  • sendmail
  • service
  • site
  • soft
  • somebody
  • someone
  • sopho
  • spam
  • spm
  • submit
  • support
  • syma
  • tanford.e
  • the.bat
  • unix
  • usenet
  • utgers.ed
  • webmaster
  • www
  • you
  • your

Strings from the following (2) lists may be used to form the sender address:

  • adam
  • alex
  • alice
  • andrew
  • anna
  • bill
  • bob
  • brenda
  • brent
  • brian
  • claudia
  • dan
  • dave
  • david
  • debby
  • fred
  • george
  • helen
  • jack
  • james
  • jane
  • jerry
  • jim
  • jimmy
  • joe
  • john
  • jose
  • julie
  • kevin
  • leo
  • linda
  • maria
  • mary
  • matt
  • michael
  • mike
  • peter
  • ray
  • robert
  • sam
  • sandra
  • serg
  • smith
  • stan
  • steve
  • ted
  • tom
  • aol.com
  • hotmail.com
  • msn.com
  • yahoo.com

Subject of the message is one of the following:

  • Error
  • hello
  • hi
  • Mail Delivery System
  • Mail Transaction Failed
  • Server Report
  • Status
  • test

Body of the message is one of the following:

  • Mail transaction failed. Partial message is available.
  • test
  • The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment.
  • The message contains Unicode characters and has been sent as a binary attachment.

The attachment is an executable of the worm.


The name of the attached file is following:

  • doc
  • text
  • file
  • data
  • test
  • body
  • message
  • hello
  • readme
  • document

A double extension is used.


The first is one of the following:

  • .bat
  • .cmd
  • .doc
  • .exe
  • .htm
  • .pif
  • .scr
  • .txt
  • .zip

The second is one of the following:

  • .exe
  • .pif
  • .scr
Spreading via P2P networks

The worm searches for shared folders of the following programs:

  • Kazaa

The executables of the worm are copied there using the following names:

  • activation_crack
  • icq2004-final
  • nuke2004
  • office_crack
  • rootkitXP
  • strip-girl-2.0bdcom_patches
  • winamp5

The filename has one of the following extensions:

  • bat
  • exe
  • pif
  • scr
Other information

The worm may create copies of itself using the following filenames:

  • %windir%\­Temp\­checkmem.exe
  • %temp%\­checkdisk.exe
  • diskscan.exe
  • %windir%\­Temp\­iotemp.dll
  • %temp%\­iotemp.dll
  • iometer.dll

The worm can download and execute a file from the Internet.


The worm contains a list of (6) URLs.


It can send various information about the infected computer.

Please enable Javascript to ensure correct displaying of this content and refresh this page.