W32/Nopir-C

Aliases	Trojan.Win32.VB.xz
Category	Viruses and Spyware
Type	Worm
What to do	If you've received an alert for a virus or spyware, then follow the instructions for removing the threat.
Prevalence	low high

Summary

Summary
Action
More Information


How it spreads	Peer-to-peer
Affected operating systems	Windows
Characteristics	Installs itself in the registry
Protection available since	5 June 2005 11:18:27 (GMT)
Detected by	All Sophos products

Free virus scan
Download the Threat Detection Test

Free virus, spyware, and adware scan
Test your existing anti-virus protection
Find threats your anti-virus missed

Action

Summary
Action
More Information

Please follow the instructions for removing worms.

More Information

Summary
Action
More Information

W32/Nopir-C is a worm for the Windows platform that attempts to delete certain files from the infected system.

W32/Nopir-C spreads via file sharing on P2P networks.

When first run W32/Nopir-C displays an anti-piracy image and attempts to delete files with any of the following extensions:

AVI
MP3
MPEG
MPG
RAR

When first run W32/Nopir-C may copy itself to the following locations:

C:\Program Files\KaZaA\My Shared Folder\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\Outlook Express.sav\outlookrem.exe
C:\Program Files\emule\Incoming\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\system prot\mmsete.exe
C:\Program Files\StreamCast\Morpheus\My Shared Folder\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe
C:\Program Files\Gnucleus\Downloads\CloneDVD.v2.8.2.1.Cracked-RES.by.Grease.exe

The worm creates the file "THE PUNISHMENT OF (WIN 32 NOPIR) !!!.txt." in the root folder of the C: drive. This file contains the following text:

THE ILLEGAL COPY IS AN ORGANIZED CRIME !!!

The following registry entries are created to run the worm on startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
sysmem
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
memory
C:\Program Files\Outlook Express.sav\outlookrem.exe

The following registry entries are set, so that the worm is run when files with extensions of BAT, COM, EXE, PIF and SCR are opened:

HKCR\VBEFile\Shell\Open\Command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\VBSFile\Shell\Open\Command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\batfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\cmdfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\exefile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\inffile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\piffile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\regfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

HKCR\scrfile\shell\open\command
(default)
C:\Program Files\Outlook Express.sav\outlookrem.exe

The following registry entries are set, disabling the registry editor (regedit) and the Windows task manager (taskmgr):

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableTaskMgr
1

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System
DisableRegistryTools
1

The following registry entry is set:

HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer
NoControlPanel
1

Get reports about the latest virus and spyware threats delivered to your computer

In this section

W32/Nopir-C

Summary

Action

More Information