You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard True 0

Nahkos.A

 
Threat LevelLow threatDamageHighDistributionNot widespread

Effects 

Nahkos.A carries out the following actions:

  • It disables the following items:
    - Folder options from the Windows Explorer, which prevents the user from accessing the configuration menu of the folders.
    - System restore utility, which is used to undo changes in the system and recover previously created restore points.
  • It does not display It uses several techniques in order to make its detection more difficult:
    - It hides the files and folders with hidden attributes.
    - It hides the extension of the files.
    - It hides the operating system files.
  • It is programmed to be automatically run everyday at 11:30 and 20:30.

Infection strategy 

Nahkos.A creates the following files in the Windows directory, which are copies of the worm:

  • AUTOPLY.EXE, in the root directory of the C: drive.
  • USERINIT.EXE, in the Documents and Settings directory of the user that has logged in.
  • SEXGAMELIST.EXE, in the Desktop.
  • SVCHOST.EXE, in the subfolder Local Settings\Temp of the Documents and Settings directory of the user that has logged in.
  • MSSHARE.EXE, in the subfolder Common Files\Microsoft Shared of the Program Files directory.
  • SEXGAME.EXE, SEXGAMELIST.PIF and SEXSCREENSAVER.SCR, in the subfolder XPCode of the Program Files directory.
  • OFFICEUPDATE.EXE, in the subfolder Web of the Windows directory.

Additionally, it creates a file called IMPORTANT.HTM, in My Documents directory and in the Desktop. This file belongs the following file:

 

Nahkos.A creates the following entries in the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    SoundMax = C:\Documents and Settings\    %user%\userinit.exe
    where %user% is the user name of the user that has logged in.
    By creating this entry, Nahkos.A ensures that it is run whenever Windows is started.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Policies\ Explorer
    NoFolderOptions = 1
    It does not display the option Folder options of the Windows Explorer.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows NT\ SystemRestore
    DisableConfig = 1
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Policies\ Microsoft\ Windows NT\ SystemRestore
    DisableSR = 1
    It disables the system restore utility.
  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ lanmanserver\ Shares
    New_soft = 43, 53, 43, 46, 6C, 61, 67, 73, 3D, 30, 00, 4D, 61, 78, 55, 73, 65, 73, 3D, 35, 00, 50, 61, 74, 68, 3D, 43, 3A, 5C, 50, 72, 6F, 67, 72, 61, 6D, 20, 46, 69, 6C, 65, 73, 5C, 58, 50, 43, 6F, 64, 65, 00, 50, 65, 72, 6D, 69, 73, 73, 69, 6F, 6E, 73, 3D, 30, 00, 52, 65, 6D, 61, 72, 6B, 3D, 4E, 65, 77, 53, 6F, 66, 74, 77, 61, 72, 65, 73, 00, 54, 79, 70, 65, 3D, 30, 00, 00
    By creating this entry, Nahkos.A shares the folder XPCode of the Program Files directory, which contains copies of itself, so that other users of the network can access this folder and get infected.

 

Nahkos.A modifies these entries from the Windows Registry, in order to make its detection more difficult:

  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    Hidden = 00, 00, 00, 00
    It hides the files and folders with hidden attributes.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    HideFileExt = 00, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    HideFileExt = 01, 00, 00, 00
    It hides the extension of the files.
  • HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 01, 00, 00, 00
    It changes this entry to:
    HKEY_CURRENT_USER\ Software\ Microsoft\ Windows\ CurrentVersion\ Explorer\ Advanced
    ShowSuperHidden = 00, 00, 00, 00
    It hides the files of the operating system.

Means of transmission 

Nahkos.A reaches the computer in a file with the default icon of an installer:

Nahkos.A spreads through peer-to-peer (P2P) file sharing programs and removable and mapped drives.

1.- Propagation through P2P programs.

In order to do so, it follows the routine below:

  • It creates copies of itself in the shared directories belonging to several P2P programs, such as eMule, ICQ, KaZaA, KMD and LimeWire.
  • It uses the following names:
    Sex_Game.exe
    Sex_ScreenSaver.scr
  • Other users of these programs can remotely access these shared directories. This way, they voluntarily download these files to their computers, thinking that they are files related with sex. However, they will actually download a copy of the worm to their computers.
  • When the downloaded file is run, such computers will be affected by Nahkos.A.

 

2.- Propagation thorugh removable and mapped drives.

It makes copies of itself in the removable and mapped drives. Additionally, it creates an AUTORUN.INF file in the C: drive, in order to be automatically run whenever this directory is accessed.

Further Details  

Nahkos.A is 135,168 bytes in size.