WORM_NUWAR
Nuwar
Windows 2000, Windows XP, Windows Server 2003
Threat Type: Worm
Destructiveness: No
Encrypted:
In the wild: Yes
OVERVIEW
Propagates via email, Infects files
First spotted in 2006, NUWAR malware spread across systems via mass mailing copies of itself as an attachment. Its worm variants contain its own Simple Mail Transfer Protocol (SMTP) engine to send email containing a copy if itself as an attachment. The messages are then sent to email addresses which the worm harvests from infected systems.
Later NUWAR malware are Trojans and rootkits that spread via spammed email messages. The spammed messages use fake news in its topics.
In 2007, STORM malware paired up with a NUWAR variant to create an endless loop of infection. The loop starts with a SMALL malware that downloads other files, among them a NUWAR worm. The NUWAR worm, in turn, drops the same SMALL malware that downloaded it. Hence, the endless loop.
NUWAR malware also are known to have rootkit capabilities, effectively hiding processes and files related to NUWAR. This routine makes detection and removal difficult.
TECHNICAL DETAILS
Yes
Connects to URLs/IPs, Drops files
Installation
This worm drops the following file(s)/component(s):
- %System%\svcp.csv
(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)
It drops the following copies of itself into the affected system:
- %Windows%\asam.exe
(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)
Autostart Technique
This worm adds the following registry entries to enable its automatic execution at every system startup:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\asam.exe = "%Windows%\asam.exe:Enabled:enable"
Other Details
This worm connects to the following possibly malicious URL:
- http://{BLOCKED}.{BLOCKED}.3.32/aff/cntr.php
- http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.htm
- http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.gif
- http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.jpg