This worm uses a set of batch files, a few utility programs, and a trojan to spread. It simply copies a set of many different files to target systems, and remotely executes a batch file on that system to spread further. The worm scans for IP addresses to infect, then copies over the various files, and runs again. It does not contain a damaging payload. The worm intends to capture typed keystrokes and send email to a configured address. However, some samples received by AVERT have a key program (PCGhost) replaced with the (nView Desktop Manager). The worm can continue to propagate, spreading this innocent file along the way. PCGhost is a "Potentially Unwanted Program" that monitors system usage, including typed keystrokes, logs this information to a file, and can send the information to a defined email address.
The following files are associated with this worm. 10.BAT Runs HFind.exe, calls other BAT files
hack.bat Attempts to copy all other files to remote share (admin$\system32) and remotely execute START.BAT
HFind.exe IPCScan trojan
ipc.bat Loops through IP list and calls HACK.BAT
IPCPass.txt Temp file
MUMA.BAT Creates log file and runs NWIZ.EXE
NEAR.BAT Creates temp file and calls 10.bat
NWIZe.EXE NVidia Desktop Manager application [Some samples contain the PCGhost application]
NWIZe.INI NWIZe.exe config file
NWIZe.IN_ NWIZe.exe config file
pcMsg.dll PCGhost application file
PSEXEC.EXE Remote Process Launch application
RANDOM.BAT Creates random numbers, used for IP addresses to ping
rep.EXE String replace application
replace.bat Calls rep.exe with parameters
START.BAT Main program that calls other BAT files
tihuan.txt Work file