WORM_NITOL.I

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

It executes commands from a remote malicious user, effectively compromising the affected system.

Arrival Details

This worm arrives on a system as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites.

Installation

This worm drops and executes the following files:

• %User Temp%\hrl{random}.tmp <-- also detected as WORM_NITOL.I, deleted afterwards
• %System%\{random}.exe <-- detected as WORM_NITOL.I, copy of hrl{random}.tmp

(Note: %User Temp% is the user's temporary folder, where it usually is C:\Documents and Settings\{user name}\Local Settings\Temp on Windows 2000, Windows Server 2003, and Windows XP (32- and 64-bit); C:\Users\{user name}\AppData\Local\Temp on Windows Vista (32- and 64-bit), Windows 7 (32- and 64-bit), Windows 8 (32- and 64-bit), Windows 8.1 (32- and 64-bit), Windows Server 2008, and Windows Server 2012.. %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It drops the following copies of itself into the affected system:

• %System%\hra33.dll

(Note: %System% is the Windows system folder, where it usually is C:\Windows\System32 on all Windows operating system versions.)

It adds the following mutexes to ensure that only one of its copies runs at any one time:

• National{random} <-- same as registered service name

Autostart Technique

This worm registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry entries:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}
ImagePath = %System%\{random}.exe

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}
DisplayName = National{random} Instruments Domain Service

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}
Description = Provides{random} a domain server for NI security.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}
ObjectName = LocalSystem

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}\Security
Security = {hex value}

It registers its dropped component as a system service to ensure its automatic execution at every system startup. It does this by creating the following registry keys:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\National{random}\Security

Backdoor Routine

This worm executes the following commands from a remote malicious user:

• Download and execute arbitrary files

It connects to the following URL(s) to send and receive commands from a remote malicious user:

• hxxp://www.{BLOCKED}y.cc/vip48.html

NOTES:

This worm drops a copy of itself in all folders in all physical and removable drives containing an .EXE file using the file name LPK.DLL.

It also connects to different URLs to download and execute a file based from the reply of the C&C.