Worm:MSIL/Nuqelg is a self-replicating malware family written in .NET that spreads through removable drives, network shares, and social engineering tactics. First observed in the wild around 2019, this worm represents a persistent threat to Windows systems, particularly in environments where USB drives are frequently shared or network security controls are minimal. Once established, Nuqelg variants create multiple copies of themselves across accessible storage devices while attempting to disable security software and establish backdoor access for additional payload delivery.

wormnuqelg-removal cybersecurity illustration
Photo by Brett Sayles on Pexels

What makes this worm particularly troublesome for home users and small businesses is its ability to propagate silently across multiple machines through shared resources. Many victims discover the infection only after noticing suspicious files appearing on USB drives or experiencing degraded system performance. The worm's .NET-based architecture allows it to run on any Windows system with the .NET Framework installed—which includes virtually all Windows 7 through Windows 11 machines.

Think you're infected right now? Disconnect from your network immediately and remove any USB drives or external storage. Do not access shared network folders or insert that USB drive into another computer. The worm spreads aggressively through these vectors. Call us at (770) 679-4960 or bring your machine to our Roswell shop—we'll contain the infection before it propagates further.

Threat Profile

Attribute Details
Malware Family Worm:MSIL/Nuqelg (self-replicating network worm)
Known Aliases MSIL/Nuqelg, W32.Nuqelg, Worm.Win32.Nuqelg, MSIL.Nuqelg.A
Target Platform Windows XP through Windows 11 (requires .NET Framework 2.0 or higher)
First Observed Circa 2019 (family continues to evolve with new variants)
Primary Distribution Removable media (USB drives), network shares, email attachments, infected software bundles
Persistence Mechanism Registry Run keys, autorun.inf files on removable media, scheduled tasks, startup folder shortcuts
Core Capabilities Self-replication, security software disablement, backdoor installation, USB drive infection, network share propagation, keylogging (some variants)
Typical File Locations %APPDATA%\[random], %LOCALAPPDATA%\[random], root directories of removable drives, Windows\System32 (if privileges obtained)
Network Behavior Attempts outbound connections to command-and-control servers (C2) for instruction retrieval and payload downloads; scans local network for writable shares
Common File Artifacts autorun.inf, [random].exe (typically 100-400KB), desktop.ini modifications, hidden system folders on USB drives
Removal Difficulty Moderate to High—requires cleaning all infected removable media and network-accessible machines to prevent re-infection
Data Theft Risk Moderate—variants may include information-stealing modules targeting browser credentials and system information

How It Spreads

Worm:MSIL/Nuqelg employs multiple propagation vectors, making it particularly effective in environments where digital hygiene practices are inconsistent. The most common infection pathway begins when a user inserts an infected USB drive or accesses a compromised network share. The worm exploits Windows' autorun functionality—or users' tendency to click on unfamiliar files—to execute itself when the drive is accessed. Once running, it immediately begins surveying the system for other removable drives and network locations it can infect.

Unlike trojans that require distinct social engineering for each infection, worms like Nuqelg are self-sufficient propagators. After the initial compromise, the malware operates autonomously, creating copies of itself and the necessary autorun configuration files on every accessible storage location. This makes containment challenging in office environments where employees share USB drives or access common network folders. A single infected machine can compromise dozens of storage devices and network shares within hours.

The worm also spreads through secondary infection methods when the initial propagation strategy proves insufficient:

  • Infected USB drives and external storage — The primary vector; the worm creates hidden copies of itself on removable media along with autorun.inf files configured to launch the malware when the drive is accessed
  • Network share exploitation — Scans the local network for writable shared folders and copies itself to accessible locations, often disguising executables with double extensions (document.pdf.exe) or folder icons
  • Email attachments from compromised accounts — Some variants harvest email contacts and send themselves as attachments using stolen credentials from infected systems
  • Software bundles and pirated applications — Occasionally bundled with keygen tools, game cracks, or free software from unofficial download sites
  • Exploit kit infections — Less commonly, delivered as a secondary payload by browser exploit kits targeting outdated plugins (Flash, Java, older browsers)
  • Social media and messaging links — Variants that achieve credential theft may spread through compromised social media or instant messaging accounts

What It Does On Your Machine

Upon execution, Worm:MSIL/Nuqelg immediately establishes persistence and begins its replication routine. The malware typically copies itself to hidden directories in the user profile—often using randomly generated folder names or GUIDs to avoid detection. It creates registry entries in the Run and RunOnce keys to ensure execution at every system startup, and may additionally create scheduled tasks as a backup persistence mechanism. Some variants also place shortcuts in the Startup folder, giving the worm multiple paths to resurrection even if one persistence method is removed.

The worm then conducts surveillance of the system's storage landscape. It enumerates all drive letters, looking for removable media, and scans network neighborhood resources for writable shares. When it identifies a target location, it copies its executable to that location—often to the root directory—and creates an autorun.inf file configured to launch the worm when the drive is accessed. On modern Windows systems where autorun is disabled by default, the worm relies on social engineering: it may hide legitimate folders and replace them with executables bearing folder icons and identical names, tricking users into launching the malware when they attempt to access their files.

Beyond self-replication, Nuqelg variants typically include a backdoor component that attempts to establish command-and-control communications. The malware contacts remote servers to register the infected system and await further instructions. This communication channel enables attackers to deploy additional payloads, which may include information stealers targeting browser credentials and cryptocurrency wallets, remote access tools (RATs), or ransomware. Some variants include built-in keylogging functionality that captures keystrokes and periodically exfiltrates the data to attacker-controlled servers.

Nuqelg also actively interferes with security software. The worm attempts to terminate processes associated with antivirus programs and may modify Windows Defender settings to exclude its directories from scanning. On systems where it achieves elevated privileges, it may disable Windows Update to prevent security patches from closing the vulnerabilities it exploits. Users often notice system slowdowns, excessive disk activity, and unusual network traffic as the worm performs its various operations in the background.

Typical Filesystem and Registry Artifacts
File Locations: %APPDATA%\{3E5FC7F9-9A4C-4fc1-8CE0-2A7E1C97D3F8}\svchost.exe %LOCALAPPDATA%\Microsoft\Windows\winlogon.exe E:\autorun.inf ; on removable drives E:\Windows Update.exe ; disguised with system name Registry Keys: HKCU\Software\Microsoft\Windows\CurrentVersion\Run "System" = "%APPDATA%\{GUID}\svchost.exe" HKLM\Software\Microsoft\Windows\CurrentVersion\Run "Windows Defender Update" = "C:\ProgramData\[random]\winlogon.exe" Scheduled Tasks: \Microsoft\Windows\SystemRestore\ServiceHost ; fake task name, launches malware executable Autorun Configuration (USB drives): [autorun] open=Windows Update.exe action=Open folder to view files shell\open\command=Windows Update.exe

Manual Removal — Step by Step

01

Disconnect from Network and Remove External Media

Before beginning removal, disconnect the Ethernet cable or disable Wi-Fi to prevent the worm from spreading to other network machines or receiving commands from its control server. Remove all USB drives, external hard drives, and any other removable media—these need to be scanned separately after cleaning the main system. Do not reinsert these drives into any computer until they've been verified clean.

02

Boot into Safe Mode with Networking

Restart the computer and enter Safe Mode with Networking (press F8 during boot on older systems, or use Settings > Update & Security > Recovery > Advanced Startup on Windows 10/11). Safe Mode loads only essential drivers and services, preventing most malware—including Nuqelg—from launching at startup. This gives you a clean environment to work in. The "with Networking" option allows you to download tools if needed.

03

Show Hidden Files and System Files

Open File Explorer, click View, then Options. In the Folder Options window, select the View tab. Enable "Show hidden files, folders, and drives" and disable "Hide protected operating system files." Click Apply. This allows you to see the hidden directories and autorun files the worm creates. You'll need this visibility to locate all malware components.

04

Identify and Terminate Malicious Processes

Open Task Manager (Ctrl+Shift+Esc) and examine running processes. Look for suspicious executables with generic system names (like "svchost.exe" or "winlogon.exe") running from unusual locations—particularly user profile directories like AppData or LocalAppData. Legitimate Windows processes run from System32, not user folders. Right-click suspicious processes, select "Open file location" to verify, then end the process. Note the file path for later deletion.

05

Remove Registry Persistence Entries

Press Windows+R, type "regedit" and press Enter. Navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run. Look for entries with suspicious names or paths pointing to user directories. Common disguises include "System," "Windows Defender Update," or randomly generated names. Right-click and delete any entries pointing to the malware executables you identified. Also check the RunOnce keys in the same locations.

06

Check Scheduled Tasks

Open Task Scheduler (type "taskschd.msc" in the Run dialog). Expand Task Scheduler Library and look through Microsoft > Windows folders for tasks with suspicious names or those that trigger executables from user directories. Nuqelg often creates tasks disguised as system maintenance operations. Right-click and delete any malicious tasks. Pay special attention to tasks in the SystemRestore or Windows Defender folders with unfamiliar names.

07

Delete Malware Files and Folders

Navigate to the file locations you identified earlier (typically in %APPDATA% or %LOCALAPPDATA%). Delete the entire folder containing the malware executable. If you encounter "file in use" errors, the process may have restarted—return to Task Manager and end it again. Also check C:\ProgramData for hidden folders with random names. Be thorough: the worm often creates multiple copies in different locations as a survival mechanism.

08

Scan with Malwarebytes or Similar Tool

Download and install Malwarebytes (or another reputable anti-malware tool like ESET Online Scanner). Run a full system scan to catch any components you might have missed and to identify any additional payloads the worm may have downloaded. Worm:MSIL/Nuqelg often serves as a delivery mechanism for other malware. Quarantine or delete all detected threats. This scan also helps identify whether the infection has spread to other areas of the system.

09

Clean All Removable Media

Insert USB drives and external hard drives one at a time (with the system still in Safe Mode) and scan each with your anti-malware tool. Delete any autorun.inf files and suspicious executables from the root directories. Look for hidden folders and executables disguised as folders. Some users prefer to format removable drives entirely if they don't contain critical data—this is the most reliable way to ensure the worm is eliminated. Never skip this step: reinfection from an uncleaned USB drive is extremely common.

10

Change Important Passwords

If the system was infected for any significant period, assume that credentials may have been compromised. After cleaning the malware and restarting into normal mode, change passwords for email accounts, online banking, and any other sensitive services—particularly those you accessed from the infected computer. Use a different, verified-clean device for the most critical accounts if possible.

11

Restart and Verify

Restart the computer normally and monitor behavior. Check Task Manager for suspicious processes, verify that your security software is running properly, and reconnect to the network only when you're confident the system is clean. Run another quick scan with your anti-malware tool. If any symptoms persist—unexpected processes, unusual network activity, or the reappearance of malware files—the infection may not be fully removed and professional help is recommended.

Prevention

  1. Disable AutoRun for removable media. Open Group Policy Editor (gpedit.msc) and navigate to Computer Configuration > Administrative Templates > Windows Components > AutoPlay Policies. Enable "Turn off AutoPlay" and set it to apply to all drives. This prevents the worm's primary propagation mechanism from functioning automatically.
  2. Scan all USB drives before use. Configure your antivirus to automatically scan removable media when inserted, or manually right-click and scan any external drive before opening files. Treat all USB drives as potentially infected, especially those that have been used in multiple computers or public locations.
  3. Restrict network share permissions. Audit your network shares and ensure write permissions are granted only to users and systems that absolutely need them. Many worm infections spread because of overly permissive "Everyone: Full Control" share settings on home or small office networks.
  4. Keep Windows and security software updated. Enable automatic updates for both Windows and your antivirus program. Security patches frequently close vulnerabilities that worms exploit, and updated malware definitions help your security software recognize new variants before they can establish themselves.
  5. Use standard user accounts for daily work. Avoid using administrator accounts for routine tasks like web browsing and document work. Malware that infects a standard user account has limited ability to modify system-wide settings or access other user profiles, containing the damage.
  6. Configure Windows Defender or third-party antivirus to scan scripts and executables. Enable real-time protection and ensure it's configured to scan downloaded files and email attachments. Configure your antivirus to quarantine or block suspicious files rather than simply warning about them—many users click through warnings without reading them.
  7. Be skeptical of files on removable media. If you insert a USB drive and see unexpected files, especially executables with folder icons or files named after system processes, do not open them. Safely eject the drive and scan it on an isolated system with updated security software before accessing the contents.
  8. Implement the principle of least privilege. In business environments, use Group Policy to restrict users' ability to write to system directories, modify registry keys, or disable security software. These restrictions prevent malware from establishing deep persistence even if it achieves initial execution.
Our Malware Removal Guarantee
When Computer Repair Roswell removes Worm:MSIL/Nuqelg from your system, the job's done right. If the same infection returns within 90 days, we'll re-clean your machine at no additional charge. We also clean all your external drives and USB devices to prevent reinfection—something many shops skip. Your system leaves our shop verified clean and protected.

Bring It In

Worm infections like Nuqelg are particularly frustrating because they rarely travel alone. By the time you discover the infection, the worm may have been operating for days or weeks, potentially downloading additional malware or spreading to other systems on your network. Manual removal is possible for technically proficient users, but it's time-consuming and error-prone—miss a single persistence mechanism or infected USB drive, and the worm returns within hours. Even worse, attempting removal without proper tools can sometimes trigger defensive mechanisms that make the infection harder to clean.

Computer Repair Roswell handles worm infections routinely, and we have the tools and experience to ensure complete removal. We don't just clean your primary computer—we scan and remediate all your external drives, verify network shares are clean, and check other systems on your network that may have been compromised. We'll also address any secondary infections the worm brought along and restore system settings that malware modified. Call us at (770) 679-4960 or stop by our shop at 1635 Hembree Road, Suite 100, Roswell, GA 30076. We'll eliminate the infection and help you implement the safeguards that prevent it from coming back.