W32/Nujama.worm!p2p Peer To Peer Worm Virus.Win32.VB.cy W32.Nujama W32/Nujama-A
Tuesday, February 12, 2008
Overview -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
Aliases
* Virus.Win32.VB.cy
* W32.Nujama
* W32/Nujama-A
Characteristics
Characteristics -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
* Upon execution, it creates a copy of itself into the Windows system directory:
%Windir%\system32\SystemMonitor.exe, %Windir%\system32\ptsnoop.exe, %Windir%\system32\InfoVersion.exe, %Windir%\system32\commpu.exe, %Windir%\system32\call of duty.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
* Creates the following registry key to hook at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmon: "%Windir%\system32\SystemMonitor.exe"
* Modifies the following registry keys so that a user cannot view hidden files and file extensions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = "1"
* Drops the following files:
%Windir%\Web\Desktop.ini
%Windir%\Web\Folder.htt
%Windir%\system\oeminfo.ini
* Copies itself into the root folder of all drives(including removable drives and network drives) with filename as as Datos de %Computer_Name%.exe
* Copies itself to all the subfolders of these drives with filename as %sub_folder%.exe
(For instance, it copies itself as WINDOWS.exe in the folder c:\WINDOWS and copies itself as system.exe into the folder c:\WINDOWS\system)
Symptoms -
* created registry key as described above
* created f iles as described above
Method of Infection -
The worm may propagate via Peer-to-Peer Networks, network shares and removable drives.
Removal -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
Aliases
* Virus.Win32.VB.cy
* W32.Nujama
* W32/Nujama-A
Characteristics
Characteristics -
W32/Nujama.worm!p2p is a worm which can propragate through network shares, removable drives and peer to peer applications.
* Upon execution, it creates a copy of itself into the Windows system directory:
%Windir%\system32\SystemMonitor.exe, %Windir%\system32\ptsnoop.exe, %Windir%\system32\InfoVersion.exe, %Windir%\system32\commpu.exe, %Windir%\system32\call of duty.exe
(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)
* Creates the following registry key to hook at system startup:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Sysmon: "%Windir%\system32\SystemMonitor.exe"
* Modifies the following registry keys so that a user cannot view hidden files and file extensions.
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
HideFileExt = "1"
* Drops the following files:
%Windir%\Web\Desktop.ini
%Windir%\Web\Folder.htt
%Windir%\system\oeminfo.ini
* Copies itself into the root folder of all drives(including removable drives and network drives) with filename as as Datos de %Computer_Name%.exe
* Copies itself to all the subfolders of these drives with filename as %sub_folder%.exe
(For instance, it copies itself as WINDOWS.exe in the folder c:\WINDOWS and copies itself as system.exe into the folder c:\WINDOWS\system)
Symptoms -
* created registry key as described above
* created f iles as described above
Method of Infection -
The worm may propagate via Peer-to-Peer Networks, network shares and removable drives.
Removal -
