Home Malware Programs Worms W32.Nekat.A

W32.Nekat.A

Posted: January 24, 2008

W32.Nekat.A is a worm that propagates through removable storage devices and is known to reduce security settings by disabling antivirus and firewall on the hijacked machine. In order to hide its malicious actions W32.Nekat.A creates registry entries that hide or disables many functions of the Control Panel, Windows Registry Editor, Task Manager and the command shell.

Registry Modifications

  • The following newly produced Registry Values are:
    HKEY..\..\..\..{Subkeys}HKEY_LOCAL_MACHINE\Software\XCryptOR\W32Roty.A\hAka1 = gSysTray.comhHKEY_LOCAL_MACHINE\Software\XCryptOR\W32Roty.A\hAka2 = gscvhost.exehHKEY_LOCAL_MACHINE\Software\XCryptOR\W32Roty.A\hAka4 = gtest.comhHKEY..\..\..\..{RegistryKeys}HKEY_CURRENT_USER\Control Panel\donft load\haccess.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\happwiz.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hhdwwiz.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hinetcpl.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hintl.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hjoy.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hmain.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hncpa.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hnetcpl.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\hnusrmgr.cplh = gNohHKEY_CURRENT_USER\Control Panel\donft load\htimedate.cplh = gNohHKEY_LOCAL_MACHINE\System\ControlSet001\Services\SharedAccess\ParametersHKEY_LOCAL_MACHINE\System\ControlSet001\Services\lanmanserver\Shares\FirewallPolicy\StandardProfile\AuthorizedApplications\List\h%Windir%\SysTray.comh = g%WINDIR%\SysTray.com:*:Enabled:SysTrayh\hShellh = g%Windir%\SysTray.comh\hTest_Amorh = gCSCFlags=0HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\..{RunKeys}HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Loading...