Win32/Nanspy [Threat Name] go to Threat

Win32/Nanspy.NAD [Threat Variant Name]

Category worm
Size 95744 B
Detection created Nov 09, 2007
Detection database version 2647
Aliases Net-Worm.Win32.Nanspy.ab (Kaspersky)
  W32.Kassbot (Symantec)
Short description

Win32/Nanspy.NAD is a worm that spreads via removable media. It connects to remote machines and tries to exploit the Microsoft Windows DCOM RPC Interface Buffer Overrun Vulnerability . It can be controlled remotely.

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • mmsvc32.exe

In order to be executed on every system start, the worm sets the following Registry entry:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "Microsoft Network Services Controller" = "%system%\­mmsvc32.exe"

The worm creates and runs a new thread with its own program code within the following processes:

  • iexplore.exe
Spreading

The worm copies itself into the root folders of removable drives using the following name:

  • autorun.exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm generates various IP addresses.


It connects to remote machines to port TCP 135 in attempt to exploit the Microsoft Windows DCOM RPC vulnerability.


This vulnerability is described in Microsoft Security Bulletin MS03-026 .

Other information

The worm modifies the following file:

  • %system%\­drivers\­etc\­hosts

The worm writes the following entries to the file:

  • 82.146.60.44 postbank.de
  • 82.146.60.44 www.postbank.de
  • 82.146.60.44 banking.postbank.de
  • 82.146.60.44 direkt.postbank.de
  • 82.146.60.44 www.smile.co.uk
  • 82.146.60.44 smile.co.uk
  • 82.146.60.44 cahoot.com
  • 82.146.60.44 www.cahoot.com
  • 82.146.60.44 www.cahoot.co.uk
  • 82.146.60.44 cahoot.co.uk
  • 82.146.60.44 www.co-operativebank.co.uk
  • 82.146.60.44 co-operativebank.co.uk
  • 82.146.60.44 www.co-operativebank.com
  • 82.146.60.44 co-operativebank.com
  • 82.146.60.44 personal.barclays.co.uk
  • 82.146.60.44 barclays.co.uk
  • 82.146.60.44 ibank.barclays.co.uk
  • 82.146.60.44 www.barclays.co.uk
  • 82.146.60.44 barclays.touchclarity.com
  • 82.146.60.44 hsbc.co.uk
  • 82.146.60.44 www.hsbc.co.uk
  • 82.146.60.44 hsbc.touchclarity.com
  • 82.146.60.44 www1.member-hsbc-group.com
  • 82.146.60.44 lloydstsb.co.uk
  • 82.146.60.44 www.lloydstsb.co.uk
  • 82.146.60.44 lloydstsb.com
  • 82.146.60.44 www.lloydstsb.com
  • 82.146.60.44 mi.lloydstsb.com
  • 82.146.60.44 www.woolwich.co.uk
  • 82.146.60.44 woolwich.co.uk
  • 82.146.60.44 www.deutsche-bank.de
  • 82.146.60.44 deutsche-bank.de
  • 82.146.60.44 meine.deutsche-bank.de
  • 82.146.60.44 www.anbusiness.com
  • 82.146.60.44 anbusiness.com
  • 82.146.60.44 www.abbeyinternational.com
  • 82.146.60.44 www.barclays.com
  • 82.146.60.44 barclays.com
  • 82.146.60.44 ibank.internationalbanking.barclays.com
  • 82.146.60.44 offshore.hsbc.com

The worm terminates any program that creates a window containing any of the following strings in its name:

  • DBMWin

The worm terminates processes with any of the following strings in the name:

  • ftp.exe
  • tftp.exe

The worm acquires data and commands from a remote computer or the Internet.


It can be controlled remotely.


The HTTP, FTP protocol is used.


The worm contains a list of URLs.


It can execute the following operations:

  • perform DoS/DDoS attacks
  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes

The worm may create the following files:

  • %system%\­1.htm

Please enable Javascript to ensure correct displaying of this content and refresh this page.