Win32/Small.NCC [Threat Name] go to Threat

Win32/Small.NCC [Threat Variant Name]

Category worm
Size 122880 B
Detection created Nov 13, 2006
Detection database version 1864
Aliases Worm.Win32.AutoRun.bscv (Kaspersky)
  Worm:Win32/Autorun.XEA (Microsoft)
  W32/Autorun.worm.c.virus (McAfee)
Short description

Win32/Small.NCC is a worm that spreads via removable media.

Installation

When executed, the worm copies itself in some of the the following locations:

  • %system%\­msmsgs.exe
  • %drive%\­System Volume Information\­com1.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\­driveinfo.exe
  • %system%\­%originalfilename%

The following Registry entry is set:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows NT\­CurrentVersion\­Windows]
    • "run" = "%system%\­%originalfilename%"

The worm creates the following folders:

  • %system%\­Debug\­

The worm creates the following files:

  • %systemdrive%\­D_20866.nsl

The worm may create the following files:

  • c:\­command.bat
  • %currentfolder%\­fpco.bat
  • %currentfolder%\­System~1\­Outdir.bat
Spreading on removable media

The worm copies itself into the root folders of removable drives using the following name:

  • New Folder .exe

The following file is dropped in the same folder:

  • autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.


The worm creates the following folders:

  • %removabledrive%\­System Volume Information\­com1.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\­
  • %removabledrive%\­system32\­system32\­

The worm copies itself to the following location:

  • %removabledrive%\­System Volume Information\­com1.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\­weasvc.pif
Other information

The worm searches local drives for files with the following file extensions:

  • .doc
  • .rtf
  • .docx
  • .txt
  • .rar
  • .zip
  • .ppt
  • .pps
  • .xls
  • .sec
  • .oef
  • .okf
  • .sdd
  • .def

When the worm finds a file matching the search criteria, it creates its duplicate.


The name of the new file is based on the name of the file found in the search. An additional ".def" extension is appended.


The worm copies the files into the following folder:

  • %system%\­Debug\­

The worm moves the content of the following folders (source, destination):

  • %system%\­Debug\­, %removabledrive%\­System Volume Information\­com1.{20D04FE0-3AEA-1069-A2D8-08002B30309D}\­

The worm creates copies of the following files (source, destination):

  • %systemdrive%\­Program Files\­WinRAR\­rar.exe, %system%\­rar.exe

Please enable Javascript to ensure correct displaying of this content and refresh this page.