HOME > VIRUS ALERTS


VIRUS ALERTS

Nurech.A Worm

Original issue date: February 09, 2007

It has been observed that a worm called Nurech.A is spreading widely. The virus seems to be using valentine's day greeting messages for spreading.

It is a mass mailing worm which uses its own SMTP engine. It contains strings with romantic relationship related words in the subject line of the emails to entice innocent users into opening the email. Mails generated by worm contain the copy of the worm in the attachment and does not contain any message in the message body.

The worm deletes the processes containing certain strings related to antivirus software and security tools. It has rootkit functionality through which it is able to hide its own processes.

This worm scans the infected system to collect email addresses to send its copy to innocent users.

Activities of the worm after execution are:

  • Drops a copy of itself with a random name on the desktop of the
    infected system with .exe extension:
  • Drops WINCOM32.SYS, in the Windows system directory. This file belongs to the rootkit Nurech.A.
  • Creates following registry entry:
    HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
    Start
  • Contains the romantic relationship related string in the subject line such as:
    Reasons I Love You.
    A Bouquet of Love,
    Baby, Back Together, Between Us
    Cuddle Up, Cyber Love.
    Dancing, Dinner CouponEvening Romance Doing It for You
    Falling In Love with You, Hand in Hand, He Blessed Our Lives, Heart is Breaking, Hold Me (distant love), I Always Knew, I am Complete, I Am Lost In You, I Believe, I Can't Function, I Dream of you Dream Girl, Just You, Just You & Me.
    Kisses.
    Memories, Miracle of Love A Token of My Love, Moonlit, My Heart belongs to you, My Heart is Thinking, My Heart The Miracle of Love Our Love is Strong, My Invitation, My Love Our Love is Free.
    Now and Forever Without Your Love, Now I Know The Kiss.
    Old Together, Only You, Our Love, P.M.S, Passionate Kiss Kiss Coupon, Peek-A-Boo, Pockets of Love Live With Me.
    Red Rose.
    Safe With You, Search for One, Mates, Take My Hand, The Candle's Light, The Dance of Love, The Letter Bewitching Moonlight, The Love Bugs, Thinking about you Forward, This Feeling, Til the End of Time Heart of Mine, Till Morning's Light, You and I Forever
  • Contains the copy of itselt in the email attachment with name such as:
    FLASH POSTCARD.EXE
    GREETING CARD.EXE
    GREETING POSTCARD.EXE
    POSTCARD.EXE
  • Gathers email addresses from the infected system
  • Avoids sending the emails to the email addresses which contains the string GOV and MIL.
  • Terminates processes related to antivirus, security and monitoring applications.

In view of rapid propagation of the worm variants, users are advised to implement following countermeasures:

  • Install and maintain a updated anti-virus software at gateway and desktop level
  • Filter emails with abovementioned subject lines and attachments at the gateway
  • Keep up-to-date on patches and fixes on the operating system and application software
  • Exercise caution while opening email attachments

 

References:

http://www.pandasoftware.com/com/virus_info/encyclopedia/
overview.aspx?idvirus=149000
http://www.c-enter.hu/center/0276613.html


Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information


Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003