Win32/Nomkesh [Threat Name] go to Threat

Win32/Nomkesh.B [Threat Variant Name]

Category worm
Size 49152 B
Detection created Sep 03, 2012
Detection database version 7441
Aliases Worm.Win32.AutoRun.dzeq (Kaspersky)
  Worm:Win32/Shekwa.A (Microsoft)
  W32.Dedler.Worm (Symantec)
Short description

Win32/Nomkesh.B is a worm that spreads via removable media and IM networks.


When executed, the worm copies itself into the following location:

  • %appdata%\­%variable%.exe

A string with variable content is used instead of %variable% .

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%.exe" = "%appdata%\­%variable%.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "%variable%.exe" = "%appdata%\­%variable%.exe"

The worm creates and runs a new thread with its own program code in all running processes except the following:

  • chrome.exe
  • cl.exe
  • cl.exe
  • cmd.exe
  • csrss.exe
  • dbgview.exe
  • devenv.exe
  • vmware-unity-helper.exe
  • dw.exe
  • dwwin.exe
  • msbuild.exe
  • msdev.exe
  • nacagentui.exe
  • skype.exe
  • truecrypt.exe
  • vmware.exe
  • vmware-tray.exe
  • vmware-vmx.exe
  • werfault.exe
  • wermgr.exe
  • winword.exe
  • winwordc.exe
  • wmplayer.exe

The worm hooks the following Windows APIs:

  • NtEnumerateValueKey (ntdll.dll)
  • NtQueryDirectoryFile (ntdll.dll)
  • NtResumeThread (ntdll.dll)
  • NtTerminateProcess (ntdll.dll)
  • NtWriteVirtualMemory (ntdll.dll)
  • send (ws2_32.dll)

The worm may create copies of itself on removable or remote drives.

The following filename is used:

  • %drive%\­ugiHhs\­ugiHhs.exe

The worm creates the following files:

  • %drive%\­ugiHhs\­Desktop.ini
  • %drive%\­autorun.inf

The AUTORUN.INF file contains the path to the malware executable.

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm creates the following file:

  • %drive%\­%variable%.lnk

The file is a shortcut to a malicious file.

A string with variable content is used instead of %variable% .

The name of the file may be based on the name of an existing file or folder.

Spreading via IM networks

Win32/Nomkesh.B is a worm that spreads via IM networks.

The following programs are affected:

  • MSN Messenger
  • Pidgin
  • Windows Live Messenger
  • Windows Messenger

The message depends entirely on data the worm downloads from the Internet.

Information stealing

The worm collects the following information:

  • operating system version
  • information about the operating system and system settings
  • FTP account information

The worm can send the information to a remote machine.

Other information

The worm acquires data and commands from a remote computer or the Internet.

The worm contains a list of (1) IP addresses. The IRC protocol is used.

It can execute the following operations:

  • download files from a remote computer and/or the Internet
  • run executable files
  • terminate running processes
  • monitor network traffic
  • modify network traffic
  • update itself to a newer version
  • stop itself for a certain time period
  • spread via IM networks
  • perform DoS/DDoS attacks
  • uninstall itself

The worm hides its presence in the system.

Please enable Javascript to ensure correct displaying of this content and refresh this page.