WORM_NOPIR.B

Malware type: Worm

Aliases: P2P-Worm.Win32.Piron.a (Kaspersky), Generic Del (McAfee), W32.Nopir.A (Symantec), W32/Nopir.B (Avira), W32/Nopir-B (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

Low

Distribution potential:

Medium

Description: 

This worm propagates via peer-to-peer networks. It searches for availabe peer-to-peer applications and then sends copies of itself to all available or online users.

It disables registry tools and prevents using the Registry Editor via the Control Panel. It also modifies certain registry entries so that it executes when any file with any of the following file name extensions is opened:

  • .BAT
  • .CMD
  • .COM
  • .EXE
  • .PIF
  • .REG
  • .SCR
  • .VBE
  • .VBS

It displays the following image:

Windows

For additional information about this threat, see:

Description created: Apr. 27, 2005 6:41:52 AM GMT -0800


TECHNICAL DETAILS


Memory resident:  Yes

Size of malware: 156,658 Bytes

Initial samples received on: Apr 21, 2005

Compression type: ExeStealth

Details:

Installation

Upon execution, this memory-resident worm creates the following folder:

    %Program Files%\Restore

(Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files.)

It then drops a copy of itself in this folder as VXST.EXE. It also drops the following copy of itself:

    %Program Files%\Projects Visual Studio.NET\Nctrup.exe

It then searches for and deletes files with the following file name extensions:

  • .com
  • .mp3

Autostart Technique

This worm creates the following reigsty entries to ensure its automoatic execution at every Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
Verif = "%Program Files%\Restore\vxst.exe"

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
CurrentVersion\Run
securw="%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

Other Registry Modifications

This worm disables registry tools by creating the following registry entry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\System
DisableRegistryTools = "dword:00000001"

It also creates the following registry entry to prevent the user from using the Control Panel to edit the registry:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Policies\Explorer
NoControlPanel = "dword:00000001"

This worm has shell spawning capabilities. It modifies the following registry entries so that when any of file with certain file name extensions is opened, the copy of the worm is executed instead:

For .BAT files:

HKEY_CLASSES_ROOT\batfile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\batfile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .CMD files:

HKEY_CLASSES_ROOT\cmdfile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\cmdfile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .COM files:

HKEY_CLASSES_ROOT\comfile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\comfile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .EXE files:

HKEY_CLASSES_ROOT\exefile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\exefile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .PIF files:

HKEY_CLASSES_ROOT\piffile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\piffile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .REG files:

HKEY_CLASSES_ROOT\regfile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\regfile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .SCR files:

HKEY_CLASSES_ROOT\scrfile\shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\scrfile\
shell\open\command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .VBE files:

HKEY_CLASSES_ROOT\VBEFile\Shell\Open\Command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\VBEFile\
Shell\Open\Command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

For .VBS files:

HKEY_CLASSES_ROOT\VBSFile\Shell\Open\Command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

HKEY_LOCAL_MACHINE\Software\Classes\VBSFile\
Shell\Open\Command
@ = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"

Propagation via Peer-to-Peer Applications

This worm searches for availabe peer-to-peer applications and then sends copies of itself to all available or online users.

Other Details

This worm displays the following image after performing all its routines:

Windows

It does not check for memory-residency, so multiple instances of this worm may run on the system. It runs on Windows 95, 98, ME, NT, 2000, and XP.

Analysis By: Melvin Dantis Dadios


SOLUTION


Minimum scan engine version needed: 6.810

Pattern file needed: 2.591.03

Pattern release date: Apr 21, 2005


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

Creating a VBS file to Disable the System Policies

  1. Open the text editor and type in the following:
    On error resume next 
    Set wsreg = createobject("Wscript.shell") 
    wsreg.regwrite 
    HKey_Current_User\Software\Microsoft\
    Windows\CurrentVersion\
    Policies\Explorer\NoControlPanel,
    0,"REG_DWORD" 
    wsreg.regwrite 
    HKey_Current_User\Software\Microsoft\
    Windows\CurrentVersion\
    Policies\System\DisableRegistryTools,
    0,"REG_DWORD" 
    wsreg.regwrite 
    HKey_Current_User\Software\Microsoft\
    Windows\CurrentVersion\
    Policies\System\DisableTaskMgr,
    0,"REG_DWORD" 
    wscript.quit
    
  2. Save the file as {user specified file name}.VBS.
  3. Close your text editor
  4. Double-click on {user specified file name}.VBS.

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your system with your Trend Micro antivirus product.
  2. NOTE all files detected as WORM_NOPIR.B .

Trend Micro customers need to download the latest pattern file before scanning their system. Other users can use Housecall, Trend Micro's online virus scanner.

Terminating the Malware Program

This procedure terminates the running malware process. You will need the name(s) of the file(s) detected earlier.

  1. Open Windows Task Manager.
    � On Windows 95, 98, and ME, press
    CTRL%20ALT%20DELETE
    � On Windows NT, 2000, and XP, press
    CTRL%20SHIFT%20ESC, then click the Processes tab.
  2. In the list of running programs*, locate the malware file(s) detected earlier.
  3. Select one of the detected files, then press either the End Task or the End Process button, depending on the version of Windows on your system.
  4. Do the same for all detected malware files in the list of running processes.
  5. To check if the malware process has been terminated, close Task Manager, and then open it again.
  6. Close Task Manager.

*NOTE: On systems running Windows 95, 98, and ME, Windows Task Manager may not show certain processes. You can use a third party process viewer such as Process Explorer to terminate the malware process. Otherwise, continue with the next procedure, noting additional instructions.

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    Verif = "%Program Files%\Restore\vxst.exe"

  4. (Note: %Program Files% refers to the Program Files folder, which is usually C:\Program Files.)
  5. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>Software>Microsoft>
    Windows>CurrentVersion>Run
  6. In the right panel, locate and delete the entry:
    securw = "%Program Files%\Projects Visual Studio.NET\Nctrup.exe"
  7. Close the Registry Editor.

NOTE:If you were not able to terminate the malware process as described in the previous procedure, restart your system.

Addressing Registry Shell Spawning

This procedure prevents the malware from executing whenever a user opens files with certain extension names. It should restore the registry to its original settings.

  1. Click Start>Run.
  2. In the Open input box, type:
    command /c copy %Windows%\regedit.exe regedit.com | regedit.com
    (Note: %Windows% is the default Windows folder, which is usually C:\Windows or C:\WINNT.)
  3. Press Enter.
  4. In the left panel, double-click the following:
    HKEY_CLASSES_ROOT>exefile>shell>open>command
  5. In the right panel, locate the registry entry:
    (Default)
  6. Check whether its value is the path and file name of the malware file.
  7. If the value is the malware file, right-click Default and select Modify to change its value.
  8. In the Value data input box, delete the existing value and type the default value:
    "%1"
  9. Repeat this procedure for the following registry keys:
    • HKEY_CLASSES_ROOT>VBEFile>shell>open>command
    • HKEY_CLASSES_ROOT>VBSFile>shell>open>command
    • HKEY_CLASSES_ROOT>batfile>shell>open>command
    • HKEY_CLASSES_ROOT>cmdfile>shell>open>command
    • HKEY_CLASSES_ROOT>comfile>shell>open>command
    • HKEY_CLASSES_ROOT>exefile>shell>open>command
    • HKEY_CLASSES_ROOT>piffile>shell>open>command
    • HKEY_CLASSES_ROOT>regfile>shell>open>command
    • HKEY_CLASSES_ROOT>scrfile>shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>VBEFile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>VBSFile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>batfile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>cmdfile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>comfile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>exefile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>piffile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>regfile>
      shell>open>command
    • HKEY_LOCAL_MACHINE>Software>Classes>scrfile>
      shell>open>command
  10. Close Registry Editor.
  11. Click Start>Run, then type:
    command /c del regedit.com
  12. Press Enter.

Additional Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected systems.

Users running other Windows versions can proceed with the succeeding procedure set(s).

Running Trend Micro Antivirus

Scan your system with Trend Micro antivirus and delete files detected as WORM_NOPIR.B . To do this, Trend Micro customers must download the latest pattern file and scan their system. Other Internet users can use HouseCall, Trend Micro's online virus scanner.




Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.