attachment
documents
backup
forwarded
details
The attachment will have one of the following extensions:
.scr
.scp.scq.scr
self nude.scr
my pic.scr
ASN.1 Library Buffer Overflow Vulnerability (MS04-007)
LSASS Buffer Overrun Vulnerability (MS04-011)
RPC/DCOM Vulnerability (MS03-026)
Perform a denial of service attack
Access an FTP server
Run as Web server
Unauthorized traffic on TCP port 8.
System Impact:
The Nugache worm creates a file named 'mstc.exe' in the Windows system directory. A second file, named 'ftncache.bin' will be created in the user's application data directory.
In order to run when Windows is started, the Nugache worm modifies the HKLM\..\Run key, adding the following value:
"Microsoft Domain Controller" = "%sysdir%\MSTC.EXE"
where %sysdir% is the path to the user's Window system directory.
Note: The exact name of the Windows directory and System directory may vary depending on the operating system. By default under Windows XP, this path will be C:\Windows\System32\.
Removal Notes:
Use up-to-date antivirus software to identify the worm's files. Either allow the antivirus software to delete these files, or they can be manually deleted. If opting for manual deletion, be sure to also remove the registry modifications made by the worm.
