First spotted in 2006, NUWAR malware spread across systems via mass mailing copies of itself as an attachment. Its worm variants contain its own Simple Mail Transfer Protocol (SMTP) engine to send email containing a copy if itself as an attachment. The messages are then sent to email addresses which the worm harvests from infected systems.
Later NUWAR malware are Trojans and rootkits that spread via spammed email messages. The spammed messages use fake news in its topics.
In 2007, STORM malware paired up with a NUWAR variant to create an endless loop of infection. The loop starts with a SMALL malware that downloads other files, among them a NUWAR worm. The NUWAR worm, in turn, drops the same SMALL malware that downloaded it. Hence, the endless loop.
NUWAR malware also are known to have rootkit capabilities, effectively hiding processes and files related to NUWAR. This routine makes detection and removal difficult.
Connects to URLs/IPs, Drops files
This worm drops the following file(s)/component(s):
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\ Windows\CurrentVersion\Run asam = "%Windows%\asam.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ Windows\CurrentVersion\Run asam = "%Windows%\asam.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\SharedAccess\Parameters\ FirewallPolicy\StandardProfile\AuthorizedApplications\ List %Windows%\asam.exe = "%Windows%\asam.exe:Enabled:enable"
This worm connects to the following possibly malicious URL: