W32/Nopir-C

Aliases	Trojan.Win32.VB.xz
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	5 June 2005 11:18:27 (GMT)
Detected by	All Sophos products

Sophos beta program
Register now for our latest beta tests

Endpoint Security and Control 9.0
Small business solutions 4.0

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Nopir-C is a worm for the Windows platform that attempts to delete certain files from the infected system.

W32/Nopir-C spreads via file sharing on P2P networks.

When first run W32/Nopir-C displays an anti-piracy image and attempts to delete files with any of the following extensions:

AVI
MP3
MPEG
MPG
RAR

When first run W32/Nopir-C may copy itself to the following locations:

C:\Program Files\KaZaA\My Shared Folder\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\Outlook Express.sav\outlookrem.exe
C:\Program Files\emule\Incoming\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\system prot\mmsete.exe
C:\Program Files\StreamCast\Morpheus\My Shared Folder\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\Gnucleus\Downloads\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe

The worm creates the file "THE PUNISHMENT OF (WIN 32 NOPIR) !!!.txt." in the root folder of the C: drive. This file contains the following text:

THE ILLEGAL COPY IS AN ORGANIZED CRIME !!!

The following registry entries are created to run the worm on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysmem
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
memory
C:\Program Files\Outlook Express.sav\outlookrem.exe

The following registry entries are set, so that the worm is run when files with extensions of BAT, COM, EXE, PIF and SCR are opened:

HKCR\VBEFile\Shell\Open\Command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\VBSFile\Shell\Open\Command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\batfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\cmdfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\exefile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\inffile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\piffile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\regfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\scrfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Nopir-C

Summary

Action

More Information