W32/Nanpy-E is a worm for the Windows platform.
W32/Nanpy-E spreads to other network computers by exploiting common buffer overflow vulnerabilites, including RPC-DCOM (MS04-012).
When first run W32/Nanpy-E copies itself to <System>\mmsvc32.exe.
The following registry entry is created to run mmsvc32.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
Microsoft Network Services Controller
<System>\mmsvc32.exe
W32/Nanpy-E includes functionality to:
- carry out DDoS flooder attacks
- access the internet and communicate with a remote server via HTTP
- steal confidential information
- silently download, install and run new software
W32/Nanpy-E modifies the HOSTS file, mapping the URLs of banking websites to a remote IP. At the time of writing, this IP address is not functional. Entries are added for:
lloydstsb.co.uk
online.lloydstsb.co.uk
www.lloydstsb.co.uk
www.lloydstsb.com
personal.barclays.co.uk
barclays.co.uk
ibank.barclays.co.uk
www.barclays.co.uk
www.nwolb.com
nwolb.com
hsbc.co.uk
www.hsbc.co.uk
abbey.com
www.abbey.com
www.abbey.co.uk
abbey.co.uk
cahoot.com
www.cahoot.com
www.cahoot.co.uk
cahoot.co.uk
www.co-operativebank.co.uk
co-operativebank.co.uk
www.co-operativebank.com
co-operativebank.com
welcome2.co-operativebankonline.co.uk
welcome6.co-operativebankonline.co.uk
welcome8.co-operativebankonline.co.uk
welcome10.co-operativebankonline.co.uk
www.smile.co.uk
smile.co.uk
www.cajamar.es
cajamar.es
www.cajamar.com
www.unicaja.es
unicaja.es
www.unicaja.com
unicaja.com
www.caixagalicia.es
caixagalicia.es
www.caixagalicia.com
caixagalicia.com
activa.caixagalicia.es
www.caixapenedes.es
caixapenedes.es
www.caixapenedes.com
caixapenedes.com
bancae.caixapenedes.com
www.caixasabadell.es
caixasabadell.es
www.caixasabadell.net
caixasabadell.net
www.cajamadrid.es
cajamadrid.es
www.cajamadrid.com
cajamadrid.com
oi.cajamadrid.es
www.ccm.es
ccm.es
www.haspa.de
haspa.de
ssl2.haspa.de
www.dresdner-bank.de
dresdner-bank.de
www.dresdner-privat.de
postbank.de
www.postbank.de
banking.postbank.de
www.sparda-b.de
sparda-b.de
www.bankingonline.de
www.raiffeisenbank-erding.de
raiffeisenbank-erding.de
www.vr-networld-ebanking.de
vr-networld-ebanking.de
www.bnhof.de
bnhof.de
www.deutsche-bank.de
deutsche-bank.de
meine.deutsche-bank.de
www.citibank.de
citibank.de
cipehb13.cdg.citibank.de
www.dkb.de
dkb.de
www.sparkasse-regensburg.de
sparkasse-regensburg.de
www.berliner-bank.de
berliner-bank.de
www.berliner-sparkasse.de
berliner-sparkasse.de
The following patch for the operating system vulnerability exploited by W32/Nanpy-E can be obtained from the Microsoft website:
MS04-012