Win32/Nanspy.NAD | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation
When executed, the worm copies itself in the %system% folder using the following name:

mmsvc32.exe

In order to be executed on every system start, the worm sets the following Registry entry:

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] "Microsoft Network Services Controller" = "%system%\mmsvc32.exe"

The worm creates and runs a new thread with its own program code within the following processes:

iexplore.exe

Spreading
The worm copies itself into the root folders of removable drives using the following name:

autorun.exe

The following file is dropped in the same folder:

autorun.inf

Thus, the worm ensures it is started each time infected media is inserted into the computer.

The worm generates various IP addresses. It connects to remote machines to port TCP 135 in attempt to exploit the Microsoft Windows DCOM RPC vulnerability. This vulnerability is described in Microsoft Security Bulletin MS03-026.

Other information
The following file is modified:

%system%\drivers\etc\hosts

The worm writes the following entries to the file:

82.146.60.44 postbank.de 82.146.60.44 www.postbank.de 82.146.60.44 banking.postbank.de 82.146.60.44 direkt.postbank.de 82.146.60.44 www.smile.co.uk 82.146.60.44 smile.co.uk 82.146.60.44 cahoot.com 82.146.60.44 www.cahoot.com 82.146.60.44 www.cahoot.co.uk 82.146.60.44 cahoot.co.uk 82.146.60.44 www.co-operativebank.co.uk 82.146.60.44 co-operativebank.co.uk 82.146.60.44 www.co-operativebank.com 82.146.60.44 co-operativebank.com 82.146.60.44 personal.barclays.co.uk 82.146.60.44 barclays.co.uk 82.146.60.44 ibank.barclays.co.uk 82.146.60.44 www.barclays.co.uk 82.146.60.44 barclays.touchclarity.com 82.146.60.44 hsbc.co.uk 82.146.60.44 www.hsbc.co.uk 82.146.60.44 hsbc.touchclarity.com 82.146.60.44 www1.member-hsbc-group.com 82.146.60.44 lloydstsb.co.uk 82.146.60.44 www.lloydstsb.co.uk 82.146.60.44 lloydstsb.com 82.146.60.44 www.lloydstsb.com 82.146.60.44 mi.lloydstsb.com 82.146.60.44 www.woolwich.co.uk 82.146.60.44 woolwich.co.uk 82.146.60.44 www.deutsche-bank.de 82.146.60.44 deutsche-bank.de 82.146.60.44 meine.deutsche-bank.de 82.146.60.44 www.anbusiness.com 82.146.60.44 anbusiness.com 82.146.60.44 www.abbeyinternational.com 82.146.60.44 www.barclays.com 82.146.60.44 barclays.com 82.146.60.44 ibank.internationalbanking.barclays.com 82.146.60.44 offshore.hsbc.com

The worm terminates any program that creates a window containing any of the following strings in its name:

DBMWin

The worm terminates processes with any of the following strings in the name:

ftp.exe tftp.exe

The worm is sent data and commands from a remote computer or the Internet. It can be controlled remotely. The HTTP, FTP protocol is used. The worm contains a list of URLs. It can execute the following operations:

perform DoS/DDoS attacks
download files from a remote computer and/or Internet
run executable files
terminate running processes

The worm may create the following files:

%system%\1.htm