Where to Buy Trend Micro Products

For Home

For Small Business

1-888-762-8736
(M-F 8:00am-5:00pm CST)

For Enterprise

1-877-218-7353
(M-F 8:00am-5:00pm CST)

Not in the United States?
Select the country/language of your choice:

Asia Pacific Region

Europe

The Americas

Not in the United States?
Select the country/language of your choice:

Asia/Pacific

Europe

America

Login

For Home

For Business

For Partners

Threat Encyclopedia

WORM_NUWAR


ALIASES:

Nuwar

PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

OVERALL RISK RATING:
DAMAGE POTENTIAL:
DISTRIBUTION POTENTIAL:
REPORTED INFECTION:

  • Threat Type:Worm

  • Destructiveness:No

  • Encrypted:

  • In the wild: Yes

OVERVIEW

Infection Channel:

Propagates via email, Infects files


First spotted in 2006, NUWAR malware spread across systems via mass mailing copies of itself as an attachment. Its worm variants contain its own Simple Mail Transfer Protocol (SMTP) engine to send email containing a copy if itself as an attachment. The messages are then sent to email addresses which the worm harvests from infected systems.

Later NUWAR malware are Trojans and rootkits that spread via spammed email messages. The spammed messages use fake news in its topics.

In 2007, STORM malware paired up with a NUWAR variant to create an endless loop of infection. The loop starts with a SMALL malware that downloads other files, among them a NUWAR worm. The NUWAR worm, in turn, drops the same SMALL malware that downloaded it. Hence, the endless loop.

NUWAR malware also are known to have rootkit capabilities, effectively hiding processes and files related to NUWAR. This routine makes detection and removal difficult.

TECHNICAL DETAILS

Memory Resident:

Yes

Payload:

Connects to URLs/IPs, Drops files

Installation

This worm drops the following file(s)/component(s):

  • %System%\svcp.csv

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Windows%\asam.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\asam.exe = "%Windows%\asam.exe:Enabled:enable"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.3.32/aff/cntr.php
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.htm
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.gif
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.jpg

Featured Stories

Connect with us on