Effects
Nurech.B carries out the following actions:
- It ends the processes that contain any of the following text strings:
alsys
anti
avg
avp
blackice
firewall
f-pro
hijack
lockdown
mcafee
msconfig
nav
nod32
rav
reged
Registry Editor
spybot
taskmgr
troja
viru
vsmon
zonea
These processes mostly belong to security tools, such as antivirus programs and firewalls, among others. - It monitors Internet traffic. In order to do so, it registers itself as LSP (Layered Provider Service).
For further information, please refer to the note at the bottom of this section. - It downloads a variant of the Trojan Alanchum into the computer.
- It has rootkit functionalities, which allow it to hide its own processes.
Note:
LSP (Layered Service Provider) is a Windows feature that is used to listen to all the TCP/IP traffic taking place between Internet and the applications that are accessing Internet (such as the web browser, the email client, etc.).
Within this structure, a number of programs are specified. Such programs will carry out certain actions over the TCP/IP traffic; for example, it could be specified a computer security program, which analyses the traffic in search for viruses or other threats before transferring it to the final application of the traffic.
However, this structure can also be used by certain malware, in order to intercept the communication across the Internet, and, what is worse, if they are deleted without taking precautions, the Internet connection will stop working indefinitely.
Infection strategy
Nurech.B creates the following files:
- WO.EXE in the Windows system directory. This file is a copy of the worm.
- PP.EXE in the Windows directory.
- A random file in the Desktop.
- WINCOM32.SYS, in the Windows system directory. This file belongs to the rootkit Nurech.A.
- ZU.EXE, in the Windows system directory.
- RSVP32_2.DLL, in the Windows directory.
- MA.EXE in the Windows system directory, which belongs to a variant of the Trojan Alanchum.
Nurech.B creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Winsock2\ Buibert
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
a = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
g = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
i = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
ivs = 04, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
s = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
sbt = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
suid = 1AA9D8B652F44B97B173B39D754F705F - HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows
y = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Enum\ Root\ LEGACY_WS2IFSL\ 0000\ Control
ActiveService = WS2IFSL
Additionally, it creates the following path with the necessary entries in order to register itself as LSP:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ Wincom32
Nurech.B modifies the following entries from the Windows Registry:
- HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ WS2IFSL
Start = 04, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ WS2IFSL
Start = 03, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
Start = 03, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\ SYSTEM\ ControlSet001\ Services\ SharedAccess
Start = 04, 00, 00, 00 - HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
Start = 03, 00, 00, 00
It changes this entry to:
HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
Start = 04, 00, 00, 00
By modifying these last entries, Nurech.B disables the firewall included in Windows XP Service Pack 2.
Means of transmission
Nurech.B spreads via email. It follows the routine below:
- It reaches the computer in an email message with the following characteristics:
Sender:
Nurech.B spoofs the email address from which it is sent. This false address consists of one of the names below followed by a domain:
Aldora, Alysia, Amorita, Anita, April, Ara, Aretina, Barbra, Becky, Bella, Bettina, Blenda, Briana, Bridget, Caitlin, Camille, Cara, Carla, Carmen, Chelsea, Clarissa, Damita, Danielle, Daria, Diana, Donna, Doris, Ebony, Eliza, Emily, Erika, Evelyn, Faith, Gilda, Gloria, Haley, Helga, Holly, Ida, Idona, Isabel, Ivana, Ivory, Janet, Jewel, Joanna, Julie, Juliet, Kacey, Kassia, Katrina, Kara, Laura, Linda, Lisa, Lolita, Lynn, Maia, Mary, Melody, Mimi, Myra, Nadia, Naomi, Natalie, Nicole, Olga, Olivia, Pamela, Peggy, Queen, Rachel, Rae, Rita, Rosa, Ruby, Sandra, Sharon, Silver, Ula, Uma, Valda, Valora, Vanessa, Vicky, Violet, Vivian, Wendy, Willa, Xenia, Xylia, Zenia, Zilya, Zoe.
Subject: it is variable and can be one of the following:
A Valentine Love Song
Be My Valentine
Fly Away Valentine
For My Valentine
Happy Valentine's Day
My Lucky Valentine
My Valentine
My Valentine Heart
My Valentine Sunshine
Send Love On Valentines
The Valentine Love Bug
The Valentines Angel
Valentine Letter
Valentine Love Song
Valentine Sweetie
Valentines Day Dance
Valentines Day is here again
Valentine's Love
Valentine's Night
Your Love on Valentine's
Message: it is empty.
Attachments: one of the following:
FLASH POSTCARD.EXE
GREETING CARD.EXE
GREETING POSTCARD.EXE
POSTCARD.EXE - The computer is affected when the attached file is run.
- Nurech.B searches for email addresses in files located in the affected computer.
- Nurech.B sends itself out to the addresses it has gathered.
- However, it does not send itself to those addresses that contain any of the following domains:
GOV
MIL
Further Details
Nurech.B is 50,547 bytes in size and it is compressed with PEPACK.