Virus Encyclopedia
Welcome to the Virus Encyclopedia of Panda Security.
Encyclopedia
GetVirusCard
True
0
Effects
Nugache.M carries out the following actions:
- It logs the keystrokes typed by the user. This way, it could obtain confidential information about the user, such as passwords.
- It disables the Windows XP firewall.
- It connects to an IRC server and remains waiting for the following instructions:
- Launch denial of service (DoS) attacks.
- Turn the affected computer into a web server
- Connect to an FTP server.
Infection strategy
Nugache.M creates the following files:
Nugache.M creates the following entries in the Windows Registry:
- HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
Microsoft Domain Controller = mstc.exe
By creating this entry, Nugache.M ensures that it is run whenever Windows is started. - HKEY_LOCAL_MACHINE\ Software\ GNU\ Data\ [Direction:Port]
Being "Direction:Port" the IP and port the worm will connect to.
For each one of these entries it will create for more like this: - HKEY_LOCAL_MACHINE\ Software\ GNU\ Data\ [Direction:Port]
S = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ Software\ GNU\ Data\ [Direction:Port]
F = 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ Software\ GNU\ Data\ [Direction:Port]
L = 00, 00, 00, 00, 00, 00, 00, 00 - HKEY_LOCAL_MACHINE\ Software\ GNU\ Data\ [Direction:Port]
P = 00, 00, 00, 00
Means of transmission
Nugache.M spreads via email. In order to do so, it follows the routine below:
- It reaches the computer in a message with the following characteristics:
Subject: one of the following:
k, here
hey!
hey
FW:
okay
here
hi
hey there
light
what up
lol
heh
sup
Attached file: one of the following:
SELF NUDE.SCR
MY PIC.SCR
DSC1060193.SCR - When the attached file is run, the computer will be affected by Nugache.M.
Additionally, Nugache.M spreads via instant messaging programs, such as AOL Instant Messenger (AIM) and MSN Messenger.
Further Details
Nugache.M is written in the programming language Visual C++ v7 and is 181,248 bytes in size.
>