In this month's MSRT release, we added three new threat families to the detection capability. One of these three is Win32/Nuqel, which has been around for four years since its first variant was found. More than 60 variants of Win32/Nuqel have been identified in the wild. This worm spreads itself via network shares, removable drives and instant messenger programs. These combined spreading methods make it very efficient in propagating, and it has gained prevalence lately.

Aside of the typical Autorun behavior, which will only provide a shrinking value to malware authors, Nuqel employs a disguise to fool victims. When infecting a machine with shared network drives, Nuqel copies itself to the folders on the network share with the name and icon of a folder. If the user clicks the icon, the worm will be activated.

For example the infected network share may look like this:

View of infected network share, with file extensions hidden

Image 1 – View of infected network share, with file extensions hidden

 

After showing the extension, you can see why there are two folders having the same name 'Pictures':

View of infected network share, with file extensions visible

Image 2 – View of infected network share, with file extensions visible

 

If you don't have any folder or file shared, Win32/Nuqel will create one for you as <Root Drive>\New Folder.exe, which is another copy of itself. For more information about its methods of propagation, please refer to our Win32/Nuqel description in the MMPC encyclopedia.

Although it's a family that's been around for a pretty long time, the volume in the wild is still large and rising, based on the numbers seen by Microsoft security products:

Percent increase in detection, January 2009 - May 2011

Chart 1 – Percent increase in detection, January 2009 – May 2011

 

If we split the count of detections by countries, the United States is the most affected with 40 percent of all Nuqel detections, followed by Turkey. The top 5 countries occupy 73 percent in total, as illustrated below.

Detection by country

Chart 2 – Detection by country

 

The other two threat families added to MSRT detection for June 2011 are Win32/Yimfoca and Win32/Rorpian, both of which are also high-profile worms with several payloads and are also gaining prevalence these days. We believe MSRT will put a dent in these threats, and as always, we recommend that users install real-time protection with a full antivirus solution such as Microsoft Security Essentials.

-- Shawn Wang & Scott Wu, MMPC