user@threatcheck.sh ~ threat-analysis
bash
$ analyze-threat Worm:Win32/Nuqel!pz
Worm:Win32/Nuqel!pz - Windows Defender threat signature analysis

Worm:Win32/Nuqel!pz - Windows Defender Threat Analysis

$ cat analysis.txt
=== THREAT ANALYSIS REPORT ===
Threat Name: Worm:Win32/Nuqel!pz
Classification:
Type:Worm
Platform:Win32
Family:Nuqel
Detection Type:Concrete
Known malware family with identified signatures
Suffix:!pz
Packed or compressed to evade detection
Confidence:Very High
False-Positive Risk:Low

Concrete signature match: Worm - Self-replicating malware for 32-bit Windows platform, family Nuqel

Summary:

Worm:Win32/Nuqel!pz is a malicious worm that masquerades as a rogue antivirus program (scareware). It establishes persistence, hijacks network traffic to block websites, and attempts to deceive users into purchasing the fake software by displaying bogus infection alerts.

Severity:
High
VDM Static Detection:
Relevant strings associated with this threat:
 - \regsvr.exe (FILEPATH)
 - /yBAfPOWn= (SNID)
 - /@:mC (SNID)
 -  %s/activate.php?email=%s&code=%s (PEHSTR)
 - ./AvScan.conf (PEHSTR)
 - #virustriggerbinwarning.warningbho.1 (PEHSTR)
 - Software\AvScan (PEHSTR)
 - \runonce\virustriggerbin (PEHSTR)
 - Software\AvScan (PEHSTR_EXT)
 - proxylsp.dll (PEHSTR_EXT)
 - %s/block.php?r=%s (PEHSTR_EXT)
 - %s/purchase?r=%s (PEHSTR_EXT)
 - /activate.php?email= (PEHSTR_EXT)
 - /scan (PEHSTR_EXT)
 - avsuite.exe (PEHSTR_EXT)
 - htmlayout.dll (PEHSTR_EXT)
 - avsoft.exe (PEHSTR_EXT)
 - Software\avs (PEHSTR_EXT)
 - downloads/common/script.s (PEHSTR_EXT)
 - .text (PEHSTR_EXT)
 - `.rdata (PEHSTR_EXT)
 - @.data (PEHSTR_EXT)
 - Software\ssuite (PEHSTR_EXT)
 - !#HSTR:StringCodeForMshta.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.C!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.L!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.O!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRegsvr32.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRundll32.A!pli (PEHSTR_EXT)
 - rundll32 (PEHSTR_EXT)
 - !#HSTR:StringCodeForBITSJobs.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForPowerShell.G!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForScheduledTask.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForDataEncoding.D!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.J!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.K!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteFileCopy.B!pli (PEHSTR_EXT)
 - !#HSTR:ExecutionGuardrails (PEHSTR_EXT)
 - !#HSTR:StringCodeForFileDeletion.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForHooking.M!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForNetshHelperDLL.A!pli (PEHSTR_EXT)
 - !#HSTR:StringCodeForRemoteServices.A!pli (PEHSTR_EXT)
Known malware which is associated with this threat:
b9a080abee88a25414636fbf878d39f9aee249524afe309dd606097b8d8edb00
04/12/2025
VirusTotalDownload Sample
Remediation Steps:
Isolate the infected machine from the network to prevent spread. Boot into safe mode and run a full scan with a reputable, up-to-date antivirus solution to remove the threat. Reset browser and network proxy settings, and change passwords for any accounts accessed from the machine.
=== END REPORT ===
$ reanalyze-threat
This analysis was last updated on 04/12/2025. Do you want to analyze it again?
$ ls available-commands/
→ cd /home
user@threatcheck.sh:~$