W32.Nujama.B

Once executed, the worm copies itself as the following files:

• %System%\SystemMonitor.exe
• %System%\csrsrss.exe
• ptstnoop.exe
• InfoVersion.exe
• cmmput.exe
• call of duty.exe

It also copies itself as the following file in every folder on the compromised computer:
[FOLDER NAME].exe

It then creates the following files:

• %Windir%\Web\Folder.htt
• %Windir%\Web\Desktop.ini
• %Windir%\system\oeminfo.ini

Next, the worm copies itself to the root directory of every drive as the following file:
Datos de [MACHINE NAME].exe

It then modifies the following registry entries to disable the Task Manager, Registry Editor, System Restore, Windows Firewall, and any antivirus applications running on the compromised computer:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableTaskMgr" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System\"DisableRegistryTools" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SystemRestore\"DisableSR" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DisableNotifications" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"EnableFirewall" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\DomainProfile\"DoNotAllowExceptions" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DisableNotifications" = "1"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"EnableFirewall" = "0"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\"DoNotAllowExceptions" = "0"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"UpdatesDisableNotify" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"AntiVirusOverride" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Security Center\"FirewallOverride" = 1"

It also modifies the following registry entries to disable Windows updates:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\"NoAutoUpdate" = "1"
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\"AUOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Group Policy Objects\LocalUser\Software\Microsoft\Windows\CurrentVersion\Policies\WindowsUpdate\"DisableWindowsUpdateAccess" = "1"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\"AUState" = "7"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update\"AUOptions" = "1"
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\"HideFileExt" = "1"

The worm then creates the following entries so that it runs when files with .exe, .bat, .pif, .cmd, and .scr extensions are opened:
HKEY_CLASSES_ROOT\exefile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" %*"
HKEY_CLASSES_ROOT\batfile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" %*"
HKEY_CLASSES_ROOT\comfile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" %*"
HKEY_CLASSES_ROOT\piffile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" %*"
HKEY_CLASSES_ROOT\cmdfile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" %*"
HKEY_CLASSES_ROOT\scrfile\shell\open\command\"(Default)" = "%System%\SystemMonitor.exe "%1" /S"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Sysmon" = "%System%\SystemMonitor.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"Windows Services" = "%System%\csrsrss.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"InfoVersion" = "%System%\InfoVersion.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"SysTemperatureNotRemove" = "%System%\cmmput.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\"hola" = "%System%\call of duty.exe"

It also modifies the following registry entries:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wscsvc\"Start" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv\"Start" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PAVfnsvr\"START" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Pavkre\"START" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PavProc\"START" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PavProt\"START" = "4"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\PavPrSrv\"START" = "4"

It also modifies the following registry entries to change user details:
HKEY_CLASSES_ROOT\CLSID\{460E0A9C-90AA-8CC7-25A0-52A2C5B5EFF42}\"SystemName" = "Microsoft Windows"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\"RegisteredOwner" = "{fEr}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"RegisteredOwner" = "{fEr}"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\"RegisteredOrganization" = "Esto es solo el principio..."
HKEY_CURRENT_USER\Software\Microsoft\Windows\"WindowsConfig" = "EnablePrintersOnLogin"

Next, the worm displays the following fake error message in Spanish:


TITLE: WinZip Self-Extract error!
Ha fallado la descompresion del archivo.
Si fue descargado de internet, puede que
este danado.

It also displays the following message:


TITLE: Soy el titulo
No se me ocurre nada inteligente para poner aqui
...

It copies itself to the following folders if they are present on the compromised computer:

• shared files
• My Grokster
• Shared
• My Shared Folder
• Share
• Received Files
• CD Burning

It uses the following file names when copying itself to the above folders:

• Ana Kournikova Sex Video.exe
• AVP Antivirus Pro Key Crack.exe
• VirtualSex.exe
• Britney Spears Sex Video.exe
• Buffy Vampire Slayer Movie.exe
• Crack Passwords Mail.exe
• Cristina Aguilera Sex Video.exe
• Samsung ALL models unlocker.exe
• Game Cube Real Emulator.exe
• Hentai Anime Girls Movie.exe
• Jenifer Lopez Sex Video.exe
• Matrix Movie.exe
• El rey de los huevones full divx - comprimida.exe
• Mcafee Antivirus Scan Crack.exe
• subseven.exe
• Norton Anvirus Key Crack.exe
• Panda Antivirus Titanium Crack.exe
• PS2 PlayStation Simulator.exe
• Quick Time Key Crack.exe
• Sakura Card Captor Movie.exe
• Mision imposible 3 Game.exe
• Sex Live Simulator.exe
• Sex Passwords.exe
• Spiderman Movie.exe
• Start Wars Trilogy Movies.exe
• Thalia Sex Video.exe
• Winzip KeyGenerator Crack.exe
• aol cracker.exe
• pamela_anderson.exe
• aol password cracker.exe
• divx pro.exe
• GTA 3 Crack.exe
• GTA 3 Serial.exe
• play station one two and three emulator.exe
• virtua girl - adriana.exe
• virtua girl - bailey short skirt.exe
• Virtua Girl (Full).exe
• warcraft 3 crack.exe
• VB6.exe
• warcraft 3 serials.exe
• counter-strike.exe
• delphi.exe
• divx_pro.exe
• HotGirls.exe
• hotmail_hack.exe
• serials2007.exe
• ACDSee 5.5.exe
• Age of Empires 2 crack.exe
• Animated Screen 7.0b.exe
• AOL Instant Messenger.exe
• AquaNox2 Crack.exe
• Audiograbber 2.05.exe
• BabeFest 2007 ScreenSaver 1.5.exe
• Babylon 3.50b reg_crack.exe
• Battlefield1942_bloodpatch.exe
• Battlefield1942_keygen.exe
• Business Card Designer Plus 7.9.exe
• Clone CD 9.0.0.3 (crack).exe
• Clone CD 9.0.0.3.exe
• Coffee Cup Free zip 7.0b.exe
• Metodo crackear hotmail actualizado 30-09-2006.exe
• Cool Edit Pro v2.55.exe
• Nspclean.exe
• Diablo 2 Crack.exe
• DirectDVD 5.0.exe
• DirectX Buster (all versions).exe
• DirectX InfoTool.exe
• DivX Video Bundle 6.5.exe
• Download Accelerator Plus 6.1.exe
• DVD Copy Plus v5.0.exe
• DVD Region-Free 2.3.exe
• FIFA2004 crack.exe
• GetRight 5.0a.exe
• Final Fantasy VII XP Patch 1.5.exe
• Flash MX crack (trial).exe
• FlashGet 1.5.exe
• FreeRAM XP Pro 1.9.exe
• Global DiVX Player 3.0.exe
• Gothic2 licence.exe
• Guitar Chords Library 5.5.exe
• Hitman_2_no_cd_crack.exe
• Hot Babes XXX Screen Saver.exe
• ICQ Pro 2007a.exe
• Windows Stearter Edition crack.exe
• ICQ Pro 2007b (new beta).exe
• iMesh 3.6.exe
• iMesh 3.7b (beta).exe
• IrfanView 4.5.exe
• KaZaA Hack 2.5.0.exe
• KaZaA Speedup 3.6.exe
• Links 2007 Golf game (crack).exe
• Living Waterfalls 1.3.exe
• Mafia_crack.exe
• NBA2007_crack.exe
• Matrix Screensaver 1.5.exe
• MediaPlayer Update.exe
• mIRC 6.40.exe
• mp3Trim PRO 2.5.exe
• MSN Messenger 8.2.exe
• Need 4 Speed crack.exe
• Need 4 Speed Most Wanted Full With Crack.exe
• Nero Burning ROM crack.exe
• Netfast 1.8.exe
• Network Cable e ADSL Speed 2.0.5.exe
• NHL 2004 crack.exe
• Nimo CodecPack (new) 8.0.exe
• PalTalk 5.01b.exe
• Popup Defender 6.5.exe
• Pop-Up Stopper 3.5.exe
• QuickTime_Pro_Crack.exe
• Serials 2004 v.8.0 Full.exe
• SmartFTP 2.0.0.exe
• SmartRipper v2.7.exe
• Space Invaders 1978.exe
• Splinter_Cell_Crack.exe
• Steinberg_WaveLab_5_crack.exe
• Trillian 0.85 (free).exe
• TweakAll 3.8.exe
• Unreal2_bloodpatch.exe
• Unreal2_crack.exe
• UT2004_bloodpatch.exe
• UT2007 full & crack.exe
• UT2004_keygen.exe
• UT2004_no cd (crack).exe
• xbox360 emulator.exe
• UT2004_patch.exe
• WarCraft_3_crack.exe
• Winamp 7.8.exe
• WindowBlinds 4.0.exe
• WinOnCD 4 PE_crack.exe
• WinZip 9.0b.exe
• Yahoo Messenger 6.0.exe
• Zelda Classic 2.00.exe
• Windows XP complete + serial.exe
• Screen saver christina aguilera.exe
• Screen saver christina aguilera naked.exe
• Visual basic 6.exe
• Starcraft serial.exe
• Hotmail Hacker 2007-Xss Exploit.exe
• Credit Card Numbers generator(incl Visa,MasterCard,...).exe
• Edonkey2000-Speed me up scotty.exe
• Security-2007-Update.exe
• Kazaa SDK + Xbit speedUp for 2.xx.exe
• Microsoft KeyGenerator-Allmost all microsoft stuff.exe
• Netbios Nuker 2004.exe
• Stripping MP3 dancer+crack.exe
• Visual Basic 6.0 Msdn Plugin.exe
• Windows Xp Exploit.exe
• WinRar 3.xx Password Cracker.exe
• WinZipped Visual C++ Tutorial.exe
• XNuker 2004 2.93b.exe
• cable modem ultility pack.exe
• cracker to ALL software.exe
• macromedia dreamweaver key generator.exe
• Macromedia all software key generator
• Crackeador de TODOS los programas.exe
• winamp plugin pack.exe
• winzip full version key generator.exe
• PerAntivirus 8.9.exe
• The Hacker Antivirus 5.7.exe

It executes the following command to collect the machine information and stores the result in the file %Windir%\sfoundfiles.txt:
cmd.exe /c systeminfo

Note: The collected information may be compressed as a .zip or .rar file and sent to the remote attacker.

It also deletes the following files:

• msconfig.exe
• drwatson.exe
• regedit.exe
• sysedit.exe
• regedt32.exe
• taskmgr.exe

It may end security-related processes that contain the following title in the window:

• Virus
• Avast
• Norton
• McAfee
• NOD32
• Clean
• Remover
• Spyware
• Panda
• AntiVirus
• virus
• avast
• norton
• mcafee
• nod32
• clean
• remover
• spyware
• panda
• antiVirus
• VIRUS
• AVAST
• NORTON
• MCAFEE
• CLEAN
• REMOVER
• SPYWARE
• PANDA
• ANTIVIRUS
• Kaspersky
• kaspersky
• KASPERSKY
• SCAN
• Scan
• scan

It may end processes if the process name contains one of the following strings:

• avp32.exe
• avpmon.exe
• zonealarm.exe
• vshwin32.exe
• navnt.exe
• mpftray.exe
• lockdown2000.exe
• icssuppnt.exe
• icload95.exe
• iamapp.exe
• findviru.exe
• f-agnt95.exe
• fih32
• dv95_o.exe
• claw95ct.exe
• cfiaudit.exe
• avwupd32.exe
• avptc32.exe
• _avp32.exe
• avgctrl.exe
• apvxdwin.exe
• _avpcc.exe
• avpcc.exe
• wfindv32.exe
• vsecomr.exe
• tds2-nt.exe
• sweep95.exe
• EFINET32.EXE
• scrscan.exe
• safeweb.exe
• persfw.exe
• navsched.exe
• nvc95.exe
• nisum.exe
• navlu32.exe
• ALOGSERV
• AMON9X
• AVGSERV9
• AVGW
• avkpop
• avkservice
• AvkServ
• AVXMONITOR9X
• AVXMONITORNT
• AVXQUAR
• moolive.exe
• jed.exe
• icsupp95.exe
• ibmavsp.exe
• frw.exe
• f-stopw.exe
• TFAK
• espwatch.exe
• procexp
• filemon.exe
• regmon.exe
• dvp95.exe
• cfiadmin.exe
• avwin95.exe
• avpm.exe
• avp.exe
• ave32.exe
• anti-trojan.exe
• webscan.exe
• webscanx.exe
• vsscan40.exe
• tds2-98.exe
• SymProxySvc
• SYMTRAY
• TAUMON
• TCM
• TDS-3
• vbcmserv
• VbCons
• VIR-HELP
• VPC32
• VPTRAY
• VSMAIN
• vsmon
• WIMMUN32
• WGFE95
• WEBTRAP
• WATCHDOG
• WrAdmin
• fameh32
• sphinx.exe
• scanpm.exe
• rescue.exe
• pcfwallicon.exe
• pavcl.exe
• nupgrade.exe
• navwnt.exe
• navapw32.exe
• luall.exe
• iomon98.exe
• icmoon.exe
• fprot.exe
• f-prot95.exe
• esafe.exe
• cleaner3.exe
• IBMASN.EXE
• AVXW
• cfgWiz
• CMGRDIAN
• CONNECTIONMONITOR
• CPDClnt
• DEFWATCH
• CTRL
• defalert
• defscangui
• DOORS
• EFPEADM
• ETRUSTCIPE
• EVPN
• EXPERT
• fch32
• blackice.exe
• avsched32.exe
• avpdos32.exe
• avpnt.exe
• avconsol.exe
• ackwin32.exe
• NWTOOL16
• pccwin97
• PROGRAMAUDITOR
• POP3TRAP
• PROCESSMONITOR
• PORTMONITOR
• POPROXY
• pcscan
• pcntmon
• pavproxy
• PADMIN
• pview95
• rapapp.exe
• REALMON
• RTVSCN95
• vsstat.exe
• vettray.exe
• tca.exe
• smc.exe
• scan95.exe
• rav7win.exe
• pccwin98.exe
• KPFW32.EXE
• ADVXDWIN
• padmin.exe
• normist.exe
• navw32.exe
• n32scan.exe
• lookout.exe
• iface.exe
• icloadnt.exe
• SPYXX
• SS3EDIT
• SweepNet
• iamserv.exe
• fp-win.exe
• f-prot.exe
• ecengine.exe
• cleaner.exe
• cfind.exe
• blackd.exe
• RULAUNCH
• sbserv
• SWNETSUP
• avpupd.exe
• avkserv.exe
• autodown.exe
• _avpm.exe
• FPROT95.EXE
• offguard.exe
• pav.exe
• pavmail.exe
• per.exe
• perd.exe
• pertsk.exe
• perupd.exe
• pervac.exe
• pervacd.exe
• th.exe
• th32.exe
• th32upd.exe
• thav.exe
• thd.exe
• thd32.exe
• thmail.exe
• alertsvc.exe
• amon.exe
• kpf.exe
• antivir
• avsynmgr.exe
• cfinet.exe
• cfinet32.exe
• icmon.exe
• pview95.exe
• lockdownadvanced.exe
• lucomserver.exe
• navapsvc.exe
• navrunr.exe
• nisserv.exe
• nsched32.exe
• pcciomon.exe
• pccmain.exe
• Avnt.exe
• Claw95cf.exe
• Dvp95_0.exe
• Vscan40.exe
• Icsuppnt.exe
• Jedi.exe
• N32scanw.exe
• Pavsched.exe
• Pavw.exe
• Avrep32.exe
• Monitor.exe
• fsgk32
• fsm32
• fsma32
• fsmb32
• gbmenu
• GBPOLL
• GENERICS
• GUARD
• IAMSTATS
• ISRV95
• ATCON
• LDPROMENU
• LDSCAN
• LUSPT
• MCMNHDLR
• MCTOOL
• MCUPDATE
• MCVSRTE
• MGHTML
• MINILOG
• MCVSSHLD
• MCAGENT
• MPFSERVICE
• NeoWatchLog
• NVSVC32
• NWService
• NTXconfig
• NTVDM
• ntrtscan
• npssvc
• npscheck
• netutils
• ndd32
• NAVENGNAVEX15
• notstart.exe
• zapro.exe
• pqremove.com
• BullGuard
• CCAPP.EXE
• vet98.exe
• VET32.EXE
• VCONTROL.EXE
• claw95.exe
• ANTS
• ATUPDATER
• ATWATCH
• AutoTrace
• AVGCC32
• AvgServ
• AVWINNT
• fnrb32
• fsaa
• fsav32
• ZAP.EXE
• ZAPD.EXE
• ZAPPRG.EXE
• ZAPS.EXE
• ZCAP.EXE
• pfwcon.exe
• ashDisp.exe
• ashQuick.exe
• ashAvast.exe
• nod32kui.exe

It may retrieve scripts from the following URLs and execute them:
[http://]u5baf2cc0b.iespana.es/qwert[REMOVED]
[http://]u5baf2cc0b.iespana.es/ytrew[REMOVED]