Method of Infection
When executed, Win32/Naigord.A copies itself to the %System% directory as "
ali.exe", then sets the following registry entries to allow it to run every system startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\andk = "%System\ali.exe"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\*andk = "%System%\ali.exe"
HKLM\SOFTWARE\Microsoft\Active Setup\Installed Components\{B6A807N6-42DF-4W02-93E5-B156B3FA8AL1}\StubPath = "%System%\ali.exe"
Note: %System% is a variable location. The malware determines the location of the current System folder by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.
Win32/Naigord.A injects itself into other running processes, potentially allowing it to continue running on the system even if its main executable is terminated.
Back to top
Method of Distribution
Via Email
Win32/Naigord.A usually arrives in a .zip file attached to an email. It spoofs the From address, making the email appear as sent from postcards@hallmark.com.
The worm harvests email addresses by scanning all local drives for files with the following extensions:
.wab
.pl
.adb
.tbb
.dbx
.asp
.php
.shtl
.htm
.txt
Naigord then sends the spam email to the harvested email addresses using its own SMTP engine.
Back to top
Payload
Drops Files
Win32/Naigord.A drops the file "Message" in the %Temp% directory and displays the content using the default text viewer (usually "notepad.exe"). It deletes this file once the user closes the pop-up message.
Note: %Temp% is a variable location and refers to the directory designated for temporary files. The malware determines the location of the current Temp folder by querying the operating system. A typical path is "C:\Documents and Settings\<username>\Local Settings\Temp", or "C:\WINDOWS\TEMP".
Downloads and Executes Arbitrary Files
The worm attempts to connect to and download files from specific URLs as listed below:
www.love.com
www.sex.com
qualysguard.org
qualys.serveblog.net
qualys.thruhere.net
Steals Sensitive Information
Naigord.A attempts to gather sensitive system information such as:
- Time and date of first execution
- Country
- IP address
- Operating system
- Memory and CPU speed
- Browser history
- Network information
It attempts to report the collected information to the server at love.com.
Backdoor Functionality
The worm has backdoor functionality through which its controller may instruct it to:
- Start command prompt
- Check for internet connectivity
- Start/stop/upload files to an FTP server
- Open an internet browser in the background
- Initiate WinVNC3, a legitimate remote desktop program, and hide it by disabling the tray icon
Modifies Registry
Win32/Naigord.A adds the following registry entries:
HKCU\Software\Microsoft\remove = "an"
HKCU\Software\Microsoft\Windows\CurrentVersion\ofk = "1"
HKCU\Software\Microsoft\Windows\CurrentVersion\bnhide = "3048|ali.exe|andk|443|x|"
Executes Files
The worm may try to execute various files on the system. It enumerates and retrieves details on all running processes, and executes any processes found in the user's %Temp% folder that have filenames with the format "xTemp_xx.exe" where "x" indicates a random letter.
Win32/Naigord.A also searches for and attempts to execute the files at %Root%\Program.exe and %Program Files%\internet.exe, if they exist.
Note: %Root% and %Program Files% are variable locations. The malware determines the location of these folders by querying the operating system. A typical location for the root drive would be C:\. A typical location for Program Files would be C:\Program Files.
Changes System Settings/Lowers System Security
Win32/Naigord.A attempts to bypass the system's security settings through the following registry entries:
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\<random port value>s:TCP = "<random port value >s:TCP:*:Enabled:BND"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List\<random port value >s = "<random port value >s:*:Enabled:VNC BND"
HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\<random port value >s:TCP = "<random port value >s:TCP:*:Enabled:BNDFTP"
Analysis by Methusela Ferrer
Back to top