W32/Noia.a.2206

This page shows details and results of our analysis on the malware W32/Noia.a.2206

Download Current DAT: 6618

Threat Detail

Malware Type: Virus

Malware Sub-type: Win32

Discovery Date: 2007-10-25

Next Steps:

Overview
Characteristics
Symptoms
Method of Infection
Removal

Overview

This virus will download and execute further malware.

Minimum DAT

5153 (2007-10-31)

Updated DAT

5153 (2007-10-31)

Minimum Engine

5.1.00

File Length

Varies

Description Added

2007-10-25

Description Modified

2007-10-30

Malware Proliferation

Characteristics

This virus will download and execute further malware.

It will download the following encrypted command file (which is decrypted by doing an xor with 0x90):

http://www.we168.org/[removed]/b.txt

and saved to:

%SYSTEMDIR%\system.bak

The following malware will be retrieved using the URL contained in the previous file:

http://isa.31joy.coM/Images/Hide/[removed].exe

and saved and executed as:

%SYSTEMDIR%\dllcache\svchost.exe

%SYSTEMDIR%\system.bak will be then deleted.

(where %SYSTEMDIR% is the Windows system directory e.g. c:\windows\system32)

Note:
At the time of writing, the previously mentioned downloaded executable file is detected as PWS-QQPass.

Symptoms

Presence of unexpected network connections to previously mentioned URLs.
Presence of previously mentioned files.

Method of Infection

The virus is appended to the end of innocent executable files.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations