WORM_NITOL.A

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It connects to certain URLs. It may do this to remotely inform a malicious user of its installation. It may also do this to download possibly malicious files onto the computer, which puts the computer at a greater risk of infection by other threats. It executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

It deletes the initially executed copy of itself.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops the following file(s)/component(s):

• %System%\hra33.dll - also detected as WORM_NITOL.A

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

• %System%\{Random File Name}.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

Its DLL component is injected to the following process(es):

• SVCHOST.EXE

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• Distssibufil

Autostart Technique

This worm registers itself as a system service to ensure its automatic execution at every system startup by adding the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
Type = 10

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
Start = 2

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
ErrorControl = 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
ImagePath = %System%\{Random File Name}.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
DisplayName = "Distribustax Transactsion Coordinator Service"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
ObjectName = "LocalSystem"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\Distssibufil
Description = "Distribuwyadv Transaction Coordinator Service."

Download Routine

This worm connects to the following malicious URLs:

• www.{BLOCKED}y.com:81

It saves the files it downloads using the following names:

• %User Temp%\bpk{Random Characters}cn.exe

(Note: %User Temp% is the current user's Temp folder, which is usually C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, XP, and Server 2003.)

It then executes the downloaded files. As a result, malicious routines of the downloaded files are exhibited on the affected system.

Other Details

This worm deletes the initially executed copy of itself

NOTES:

This worm searches for folders in physical drive where it drop copies of its .DLL component as lpk.dll.