W32/Nahata-E Worm

Discussion in 'malware problems & news' started by Paul Wilders, May 21, 2002.

Thread Status:
Not open for further replies.
  1. Paul Wilders

    Paul Wilders Administrator

    Joined:
    Jul 1, 2001
    Posts:
    12,472
    Location:
    The Netherlands
    Name: W32/Nahata-E
    Aliases: I-Worm.Nahata
    Type: Win32 worm
    Date: 21 May 2002

    Description:

    W32/Nahata-E is an intended worm that tries to spread via email, mIRC and Pirch. It drops itself into the root folder of drive C:. It drops the file C:\info.vbs.

    Info.vbs should send the worm to email addresses found in the Outlook address book and overwrite script.ini and events.ini when the computer is restarted. However, it does not work properly. The dropped file info.vbs is already detected by Sophos Anti-Virus as VBS/Cuartel-A.

    W32/Nahata-E sets the registry entries

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\MyID = path to the program

    and

    HKCU\Software\Microsoft\Windows\CurrentVersion\Run\COUNT = 20.

    Each time the worm is run it will decrement the COUNT value stored in the registry. When the value reaches 0 the worm will remove the registry entries.

    Read the analysis at

    www.sophos.com/virusinfo/analyses/w32nahatae.html
     
Loading...
Thread Status:
Not open for further replies.