NEWS
PARASITES
SOFTWARE
FORUM
DIRECTORY

 
 
 
 
 
 
  

Remove I-Worm.Nihilit. Description and removal instructions

 
Title: I-Worm.Nihilit
Type: Worms
Severity scale:I-Worm.Nihilit severity is 57  (57 / 100)
 
Worm Nihilit was designed to infect Microsoft Word text documents. It also terminates several antivirus processes and can attack some web sites. The worm can be very dangerous, because steals all infected text documents, which can contain valuable information, by sending them to the FTP server of the author. The worm also can come in infected e-mails or spread using some Internet-related programs.

FORUM:
Discuss I-Worm.Nihilit in
spyware removal forum

I-Worm.Nihilit properties:
• Sends out logs by FTP or email
• Connects itself to the internet
• Hides from the user
• Stays resident in background

Automatic I-Worm.Nihilit removal:

remover for I-Worm.Nihilit

I-Worm.Nihilit manual removal:

Kill processes:
i-worm.nihilit.exe
HELP:
how to kill malicious processes

Delete files:
i-worm.nihilit.exe
HELP:
how to remove harmful files

Other programs to remove I-Worm.Nihilit:

• Malwarebytes Anti Malware - Review - Download
• Malwarebytes Anti Malware - Review - Download
• Windows Defender - Review - Download

Information added: 16/07/04
Information updated: 01/03/05

Additional resources related to I-Worm.Nihilit:

Attention: If you know or you have a website or page about I-Worm.Nihilit removal, feel free to add a link to this list: add url



more resources

Post Comment:

Attention: Use this form only if you have additional information about I-Worm.Nihilit parasite, its removal instructions, additional resources or behavior. By clicking "post comment" button you agree not to post any copyrighted, unlawful, harmful, threatening, abusive, harassing, defamatory, vulgar, obscene, profane, hateful, racially, ethnically or otherwise objectionable material of any kind.



Enter security code:


Comments from visitors:

1. re: comment about I-Worm.Nihilit by nihilit author. 2005-03-01 14:03:37
Details:

Installation

Upon execution, this non-memory resident worm drops the following file in the Windows folder:

NIHILIT.BAT - detected as BAT_NIHILIT.A, it contains the malware's propagation routine through Kazaa,Imesh, and IRC

(Note: The Windows folder is usually C:Windows or C:WINNT. )

The said dropped file also drops the file NIHILIT.VBS. To enable the malware's automatic execution at every system startup, it creates the following registry entry:

HKEY_LOCAL_MACHINESoftwareMicrosoft
WindowsCurrentVersionRun
Vbsfile = %Windows%Nihilit.vbs

(Note: %Windows% is the Windows folder.)

It also drops the following file in the current user’s Startup folder:

NIHILIT.JS - detected as JS_NIHILIT.A, it contains the malware's email propagation

It displays the following message boxes before terminating:

ERROR: The system cannot read from the specified drive

C:WINNTSystem32toejoe.exe

Email Propagation

When an infected system restarts, the file NIHILIT.JS is executed. It adds a shortcut link on the desktop using the following name:

Shortcut to notepad.lnk

This shortcut link points to a file named as MAILME.JS. However, the created link is rendered useless since the worm does not drop MAILME.JS.

Then, it attempts to propagate via Microsoft Outlook. Its email message contains the following details:

Subject:
• Check this!!!
• I like this story...
• Nihilit
• :]
Attached File: %Windows%Nihilit.exe

(Note: This routine fails since NIHILIT.EXE does not exist.)

Then, it displays the following message:

Windows Script Host

It also drops the following files:

* PAYLOAD.NEC - contains the debug file for creating the CDOPEN.SCR
* CDOPEN.SCR - detected as TROJ_NIHILIT.A

It displays the following message box:

Windows Script Host: Thanks to T2K Rest in peace, brotha

The file CDOPEN.SCR then runs and attempts to open and close the CDROM drive. However, due to bugs, it fails to perform its routines and is terminated.

After which, the file NIHILIT.BAT is run.

Peer-to-Peer propagation

This malware also spreads via peer-to-peer file-sharing networks. Its dropped file NIHILIT.BAT attempts to copy the file HIDEME.EXE in the Windows System folder to the following hardcoded paths:

* C:progra~1kazaamyshar~1
* %Windows%System32
* C:

It attempts to copy the file as the following in the C:progra~1kazaamyshar~1 folder:

* winzip_key_generator.exe
* 14_year_old_on_beach.exe
* 15_year_old_on_beach.exe
* 16_year_old_on_beach.exe
* brutal_preteen_porn_xxx.exe
* cat_attacks_child.exe
* caught_on_camera-man_hit_by_car-faces_of_death.exe
* chubby_girl_bukkake_gang_banged_sucking_cock.exe
* chubby_girl_fucked_from_all_angles_xxx.exe
* Cichosz_loves_you.exe
* cute_girl_giving_head.exe
* divx_codec_installer.exe
* evil_pranksters-light_church_on_fire.exe
* fetish_bondage_preteen_porno.exe
* illegal_porno-15_year_old_raped_by_two_men_on_boat.exe
* jenna_jameson_sex_scene_huge_dick_blowjob.exe
* jenna_jameson-built_for_speed.exe
* jenna_jameson-shower_scene.exe
* jenna_jameson-xxx_nurse_scene.exe
* kill_osama_bin_laden_game.exe
* Necronomikon_is_back.exe
* nikki_nova_sex_scene_huge_dick_blowjob.exe
* preteensex.avi.exe
* windows_xp_key_generator_and_cracker.exe

It attempts to copy any of the following files in the %Windows%System32 folder:

* [DiVX]_Harry_Potter_and_the_sorcerors_stone.exe
* [DiVX]_Lord_of_the_rings.exe
* AIM_Account_Hacker.exe
* AIM_Account_Stealer.exe
* AIM_Flooder.exe
* AIM_Password_Stealer.exe
* Britney_Spears_Nude_Cum.exe
* Christina_Agulera_Nude_Cum.exe
* Christina_Ricci_Nude_Cum.exe
* devin_in_elevator_sex.exe
* Hacking_Tool_Collection.exe
* hot_girl_on_the_beach_sucking_cock_and_fucking_guy.exe
* macromedia_dreamweaver_4.0.exe
* macromedia_flash_5.0.exe
* microsoft_.NET.exe
* microsoft_office_xp_cracked.exe
* microsoft_visual_studio 6.0.exe
* MSN_Flooder.exe
* MSN_Password_Hacker_and_Stealer.exe
* nuke_afghanistan_game.exe

It copies the file as the following in C::

Sexybabe.avi.pif

(Note: The malware fails to drop the file HIDEME.EXE and thus fails to propagate via this method.)

NIHILIT.BAT then drops the following files, detected as VBS_NIHILIT.E:

* NEC.VBS
* NIHILIT.BAS

IRC Propagation

NIHILIT.BAT contains codes that attempts to propagate this worm using IRC (Internet Relay Chat). It deletes the following file, before creating a new SCRIPT.INI file:

C:mircScript.ini

The new SCRIPT.INI file sends copies of the following the file to all users on the same IRC channel where the infected system is on:

c:Sexybabe.avi.pif

After all of its code has been executed, NIHILIT.BAT displays the following text strings on the DOS console:

I do it my way....
***Win32.Nihilit*** by Necronomikon/ZeroGravity
thx to SlageHammer for BetaTesting
Latest spyware news:
Similar parasites:
Latest Spyware Threats: VirusProtect Pro | VirusLocker | SpyCrush | ContraVirus | SpyLocked | SpyDawn | AntiVerminser | SpywareQuake | VirusBurst | AntiVermins | AntiVermeans | Zlob | PopCorn.net | MovieLand | TagASaurus | BraveSentry | VirusBurster | SystemDoctor | VirusRescue | MalwareWipe | SpySheriff | CmdService | Smitfraud | SpywareStrike | WinFixer | WinHound | PestTrap | UnSpyPC
Agreement of Use | Privacy policy | Webmasters | Contact us | RSS Feeds
© 2001-2008 2-spyware.com All Rights Reserved. Reproduction in part or whole without written permission is prohibited. Powered by: eSolutions.