Worm.Win32.NeKav.a malware is a blackmailer-program which extorts money from the user, interferes with the normal work and has unauthorized access to removable drives. Worm.Win32.NeKav.a is a dynamically loaded library of Windows (PE-DLL file), has the size of 129536 bites, and is written on the Delphi language.
Worm.Win32.NeKav.a malware displays the message informing that some malicious software has been detected. The message contains a demand to send a message with a definite code to the number given in the message; sending a message will supposedly allow the user to continue work and to clean the system from viruses and Trojans.
Malware installation into the system
Worm.Win32.NeKav.a can install itself both under an administrator’s account and under a limited account.
1. Installation of malware under administrator’s account
The malware performs the following actions:
- Malicious program selects a random file in the following folders:
Copies itself into an alternative NTFS-stream of the selected file
If by some reason the malware failed to copy itself into an NTFS-stream of the selected file, then it copies itself into the folder %windir%\system32 under a random name
To automatically start itself at the system startup, it writes itself into the system registry
It provides load of the malicious library into all processes which use system library user32.dll
To start working instantly it restarts the system process ctfmon.exe
- [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Windows] under the name "AppInit_Dlls"="<PATH_TO_MALICIOUS_DLL>"
2. Installation of malware under limited account
The malware performs the following actions:
- Copies itself under a random name into the %Temp% directory and creates a bat-file in the same folder with the following content:
To automatically start itself when the user enters the system, it writes itself into the registry key
- rundll32.exe <PATH_TO_MALICIOUS_DLL>,Open
The copied dll-file and a bat-file are encrypted with the help of EFS (Encrypting File System)
- [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows] under the name "load"="PATH_TO_BAT-FILE>"
The malware copies its body onto all available for record removable drives connected to the infected computer. Malware copy is created under the following name:
For the malware to load each time the user opens an infected removable drive with Explorer, the malware puts the following file together with its executable file:
- <name_of_the_infected_removable_drive >:\autorun.inf which contains the installation command rundll32.exe <PATH_TO_MALICIOUS_DLL>, Install
The files are created with the hidden attribute.
Features of malware infection:
After the computer is infected with the malware a large message is displayed on the screen meaning "Internet Security detected malware on your computer" (sometimes instead of “Internet Security” the name “eKav Antivirus” can be used).
Then, the malware performs the following actions:
- Registry editor, task manager and system recovery are blocked
- Launch of the installed anti-virus programs is blocked via group policies
- All windows and processes whose headers contain the following words are closed/terminated:
- Internet Security
- Total Commander
- PC Tools
- Quick Heal
- Security parameters
- Process Viewer
- Process Monitor
- Process Explorer
- Command prompt
- Auto Update
- Registry editor
- Download Master
- Computer management
- G Data
- group policy
- The malware removes and prevents repeated creation of files which refer to anti-virus programs:
- With the names:
- And etc.
- With the extensions:
Recommendations on how to remove the malware
If your computer was not protected with any anti-virus software and is now infected with Worm.Win32.NeKav.a, then in order to remove the malicious program you should perform the following actions:
- Use Kaspersky WindowsUnlocker. Kaspersky WindowsUnlocker is a free utility to fight ransom malware. The utility can be launched when your computer is booted from Kaspersky Rescue Disk. WindowsUnlocker disinfects registry (including user registry files) of all operating systems installed on the computer.
- Once the banner is removed, Kaspersky Lab specialists recommend to scan your computer for viruses. You can do it, for example, using a free utility Kaspersky Virus Removal Tool.
- In order to prevent future infections by the malware, install a real-time protection antivirus solution, for example, a Kaspersky Lab product. If you do not have a valid license for your Kaspersky Lab product, you can activate a 30-days trial version of the product: