Remove I-Worm.Nihilit. Removal instructions
Severity scale: (57 / 100)
Worm Nihilit was designed to infect Microsoft Word text documents. It also terminates several antivirus processes and can attack some web sites. The worm can be very dangerous, because steals all infected text documents, which can contain valuable information, by sending them to the FTP server of the author. The worm also can come in infected e-mails or spread using some Internet-related programs.
I-Worm.Nihilit properties: • Sends out logs by FTP or email • Connects itself to the internet • Hides from the user • Stays resident in background
Automatic I-Worm.Nihilit removal:
We are testing STOPzilla's efficiency at removing I-Worm.Nihilit
(2005-03-01 16:40:26)
Malwarebytes Anti Malware
We are testing Malwarebytes Anti Malware's efficiency at removing I-Worm.Nihilit
(2005-03-01 16:40:26)
We are testing Spyware Doctor's efficiency at removing I-Worm.Nihilit
(2005-03-01 16:40:26)
I-Worm.Nihilit manual removal:
Kill processes: i-worm.nihilit.exe
Delete files:i-worm.nihilit.exe
Information added: 2004-07-16 23:32:30
Information updated: 2005-03-01 14:03:11
Additional resources related to I-Worm.Nihilit:
Attention: If you
know or you have a website or page about I-Worm.Nihilit removal, feel free
to add a link to this list: add
url
more resources
|
Latest spyware news:
Subscribe to news
Similar parasites:
|
Installation
Upon execution, this non-memory resident worm drops the following file in the Windows folder:
NIHILIT.BAT - detected as BAT_NIHILIT.A, it contains the malware's propagation routine through Kazaa,Imesh, and IRC
(Note: The Windows folder is usually C:Windows or C:WINNT. )
The said dropped file also drops the file NIHILIT.VBS. To enable the malware's automatic execution at every system startup, it creates the following registry entry:
HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
Vbsfile = %Windows%Nihilit.vbs
(Note: %Windows% is the Windows folder.)
It also drops the following file in the current user’s Startup folder:
NIHILIT.JS - detected as JS_NIHILIT.A, it contains the malware's email propagation
It displays the following message boxes before terminating:
ERROR: The system cannot read from the specified drive
C:WINNTSystem32 oejoe.exe
Email Propagation
When an infected system restarts, the file NIHILIT.JS is executed. It adds a shortcut link on the desktop using the following name:
Shortcut to notepad.lnk
This shortcut link points to a file named as MAILME.JS. However, the created link is rendered useless since the worm does not drop MAILME.JS.
Then, it attempts to propagate via Microsoft Outlook. Its email message contains the following details:
Subject:
• Check this!!!
• I like this story...
• Nihilit
• :]
Attached File: %Windows%Nihilit.exe
(Note: This routine fails since NIHILIT.EXE does not exist.)
Then, it displays the following message:
Windows Script Host
It also drops the following files:
* PAYLOAD.NEC - contains the debug file for creating the CDOPEN.SCR
* CDOPEN.SCR - detected as TROJ_NIHILIT.A
It displays the following message box:
Windows Script Host: Thanks to T2K Rest in peace, brotha
The file CDOPEN.SCR then runs and attempts to open and close the CDROM drive. However, due to bugs, it fails to perform its routines and is terminated.
After which, the file NIHILIT.BAT is run.
Peer-to-Peer propagation
This malware also spreads via peer-to-peer file-sharing networks. Its dropped file NIHILIT.BAT attempts to copy the file HIDEME.EXE in the Windows System folder to the following hardcoded paths:
* C:progra~1kazaamyshar~1
* %Windows%System32
* C:
It attempts to copy the file as the following in the C:progra~1kazaamyshar~1 folder:
* winzip_key_generator.exe
* 14_year_old_on_beach.exe
* 15_year_old_on_beach.exe
* 16_year_old_on_beach.exe
* brutal_preteen_porn_xxx.exe
* cat_attacks_child.exe
* caught_on_camera-man_hit_by_car-faces_of_death.exe
* chubby_girl_bukkake_gang_banged_sucking_cock.exe
* chubby_girl_fucked_from_all_angles_xxx.exe
* Cichosz_loves_you.exe
* cute_girl_giving_head.exe
* divx_codec_installer.exe
* evil_pranksters-light_church_on_fire.exe
* fetish_bondage_preteen_porno.exe
* illegal_porno-15_year_old_raped_by_two_men_on_boat.exe
* jenna_jameson_sex_scene_huge_dick_blowjob.exe
* jenna_jameson-built_for_speed.exe
* jenna_jameson-shower_scene.exe
* jenna_jameson-xxx_nurse_scene.exe
* kill_osama_bin_laden_game.exe
* Necronomikon_is_back.exe
* nikki_nova_sex_scene_huge_dick_blowjob.exe
* preteensex.avi.exe
* windows_xp_key_generator_and_cracker.exe
It attempts to copy any of the following files in the %Windows%System32 folder:
* [DiVX]_Harry_Potter_and_the_sorcerors_stone.exe
* [DiVX]_Lord_of_the_rings.exe
* AIM_Account_Hacker.exe
* AIM_Account_Stealer.exe
* AIM_Flooder.exe
* AIM_Password_Stealer.exe
* Britney_Spears_Nude_Cum.exe
* Christina_Agulera_Nude_Cum.exe
* Christina_Ricci_Nude_Cum.exe
* devin_in_elevator_sex.exe
* Hacking_Tool_Collection.exe
* hot_girl_on_the_beach_sucking_cock_and_fucking_guy.exe
* macromedia_dreamweaver_4.0.exe
* macromedia_flash_5.0.exe
* microsoft_.NET.exe
* microsoft_office_xp_cracked.exe
* microsoft_visual_studio 6.0.exe
* MSN_Flooder.exe
* MSN_Password_Hacker_and_Stealer.exe
* nuke_afghanistan_game.exe
It copies the file as the following in C::
Sexybabe.avi.pif
(Note: The malware fails to drop the file HIDEME.EXE and thus fails to propagate via this method.)
NIHILIT.BAT then drops the following files, detected as VBS_NIHILIT.E:
* NEC.VBS
* NIHILIT.BAS
IRC Propagation
NIHILIT.BAT contains codes that attempts to propagate this worm using IRC (Internet Relay Chat). It deletes the following file, before creating a new SCRIPT.INI file:
C:mircScript.ini
The new SCRIPT.INI file sends copies of the following the file to all users on the same IRC channel where the infected system is on:
c:Sexybabe.avi.pif
After all of its code has been executed, NIHILIT.BAT displays the following text strings on the DOS console:
I do it my way....
***Win32.Nihilit*** by Necronomikon/ZeroGravity
thx to SlageHammer for BetaTesting
Post Comment: