WORM_NUWAR.CQ

Malware type: Worm

Aliases: Trojan.Peacomm(Symantec), Mal/HckPk-A(Sophos), Email-Worm.Win32.Poca.b(Kaspersky), TR/Small.DBY.Q(Avira), W32/Tibs.RG (exact)(F-Prot), Downloader-BAI(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: Yes

Overall risk rating:

Reported infections:

Damage potential:

High

Distribution potential:

High

Infection Channel 1 : Propagates via email


Description: 

Barely three weeks into the new year, as the storm "Kyrill" ravaged over central Europe, another "storm" brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.

To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_NUWAR.CQ Behavior Diagram

Malware Overview

This worm arrives as an attachment to mass-mailed email messages. It may also arrive as a file downloaded by other malware.

It spreads by attaching a copy of itself to an email message, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send messages without using any mailing application, such as MS Outlook.

It spoofs the From field of an email message by using a list of common names followed by a spoofed domain name. Users may be tricked into thinking that the email message is from a trusted source.

Upon execution, it drops a copy of itself in the Windows system folder. It also drops a randomly named file detected by Trend Micro as TROJ_SMALL.EDW.

This worm searches for .EXE and .SCR files on the affected system where it inserts a code that programs the target files to automatically execute a copy of this worm. Modified .EXE and .SCR files are detected by Trend Micro as PE_LUDER.A.

Note that this worm avoids accessing files protected by the Windows File Protection feature to avoid triggering pop-up warnings that can notify the affected user of its presence on the system.

It terminates processes, most of which are related to antivirus and security applications. The said routine allows this worm to avoid easy detection.

In addition, it disables Internet Connection Sharing (ICS) and Windows Firewall by modifying a related registry entry.

For additional information about this threat, see:

Description created: Jan. 21, 2007 5:06:56 PM GMT -0800


TECHNICAL DETAILS


File type: PE

Memory resident:  Yes

Size of malware: 47,235 Bytes (compressed)

Initial samples received on: Jan 21, 2007

Compression type: UPX

Related toPE_LUDER.A, TROJ_SMALL.EDW

Payload 1: Disables Internet Connection Sharing and Windows Firewall

Payload 2: Terminates processes

Payload 3: Drops files

Details:

Installation and Autostart Technique

This worm arrives as an attachment to mass-mailed email messages. It may also arrive as a file downloaded by other malware from any of the following URLs:

  • http://209.123.{BLOCKED}.61/dir/aa.exe
  • http://209.123.{BLOCKED}.61/dir/ab.exe
  • http://209.123.{BLOCKED}.61/dir/ac.exe
  • http://209.123.{BLOCKED}.61/dir/ad.exe
  • http://209.123.{BLOCKED}.61/dir/ae.exe
  • http://209.123.{BLOCKED}.61/dir/af.exe

Note that the list of URLs may change.

Upon execution, this worm drops a copy of itself in the Windows system folder as ALSYS.EXE. It also drops a randomly named file, which Trend Micro detects as TROJ_SMALL.EDW, in the folder where this worm initially executes.

To enable its automatic execution at every system startup, it creates the following registry entries:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
agent = "%System%\alsys.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
agent = "%System%\alsys.exe"

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

This worm searches for .EXE and .SCR files on the affected system where it inserts a code that programs the target files to automatically execute a copy of this worm that bears the file name {Random}.T. It then proceeds to drop copies of itself into every folder that contains .EXE and .SCR files. Each of these dropped copies use the file name {Random}.T, and are all associated with the previously mentioned worm-modified .EXE and .SCR files. Thus, executing the modified files also execute the dropped copies. Modified .EXE and .SCR files are detected by Trend Micro as PE_LUDER.A.

Note that this worm avoids accessing files protected by the Windows File Protection feature to avoid triggering pop-up warnings that can notify the affected user of its presence on the system.

Other Registry Modification

This worm disables Internet Connection Sharing (ICS) and Windows Firewall. It does the said routine by modifying the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "3"

(Note: The data value of the said registry entry is usually user-defined. When the value is set to 3, the user is required to manually start ICS and Windows Firewall. In effect, the said services are disables unless started by the user.)

Propagation via Email

This worm spreads by attaching a copy of itself to an email message, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send messages without using any mailing application, such as MS Outlook.

The email message it sends out has the following details:

Subject: {any of the following}
• 5 Reasons I Love You
• A Bouquet of Love
• A Day in Bed Coupon
• A Hug & Roses
• A Kiss for You
• A Kiss So Gentle
• A Little (sex) Card
• A Monkey Rose for You
• A Red Hot Kiss
• A Relaxing Coupon
• A Romantic Place
• A Song to You
• A Special Flower for You
• A Special Kiss
• A Sweet Love
• A Token of My Love
• A Weekend Getaway
• Against All Odds
• All For You
• All That Matters
• Angel of Love
• Awaiting Your Love
• Baby, I'll Be There
• Back Together
• Between Us
• Bewitching Moonlight
• Brand New Love
• Breakfast in Bed Coupon
• Bubble Bath Coupon
• Can't Wait to See You!
• Crazy way to say I Luv U
• Cuddle Me Please
• Cuddle Up
• Cyber Love
• Dancing With You
• Dinner Coupon
• Doing It for You
• Dream Date Coupon
• Dream Girl
• Emptiness Inside Me
• Eternity of Your Love
• Evening Romance
• Every Inch of Your Body
• Everyone Needs Someone
• Falling In Love with You
• Feeling Horny?
• Fields Of Love
• For Better of For Worse
• For You
• For You....My Love
• Forever and Ever
• Forever in Love
• From this day forward
• Full Heart
• Hand in Hand
• He Blessed Our Lives
• Heart is Breaking
• Heart of Mine
• Hey Cutie
• Hold Me (distant love)
• Hold On
• How Much I Love You
• Hugging My Pillow
• I Always Knew
• I am Complete
• I Am Lost In You
• I Believe
• I Can't Function
• I Dream of you
• I Give to You
• I Love Thee
• I Love You Mower
• I Love You So
• I Love You Soo Much
• I Love You with All I Am
• I Still Love You
• I Think of You
• I Win with You
• I wish
• I Woof You
• I Would Do Anything
• I Would Give you Anything
• I'll Be Your Man
• If I Could
• If I Knew
• In Love
• In My Heart
• Inside My Heart
• Internet Love
• It's Your Move
• Just You
• Just You & Me
• Kiss Coupon
• Kisses, Hugs & Roses
• Last Night was Hot!
• Let's Get Frisky
• Live With Me
• Longing for You
• Love at First Sight
• Love Birds
• Love for Granted
• Love is in the Air
• Love Remains
• Love You Deeply
• Made for Each Other
• Magic of Flowers
• Massage Coupon
• Memories
• Miracle of Love
• Moonlit Waterfall
• Most Beautiful Girl
• My Eye on You
• My Heart belongs to you
• My Heart is Thinking
• My Invitation
• My Love
• My Perfect Love
• Now and Forever
• Now I Know
• Old Together
• Only You
• Our Love
• Our Love Everyday
• Our Love is Free
• Our Love is Strong
• Our love is torn by miles
• Our Love Nest
• Our Love Will Last
• Our Two Hearts
• Our Wedding Day
• P.M.S
• Passionate Kiss
• Peek-A-Boo
• Pockets of Love
• Puppy Love
• Red Rose
• Romantic Picnic Coupon
• Rose for my Love
• Safe and Sound
• Safe With You
• Search for One
• Sending Kiss
• Sending You My Love
• Showers Of Love
• So in Love
• So Unique
• Solitary Beauty
• Someone at Last
• Soul Mates
• Soul Partners
• Steamy Dream
• Steamy Sex Coupon
• Summer Love
• Take My Hand
• Teddy Bear & Roses
• Tender Whispers
• Thanks...Love
• That Special Love
• The Candle's Light
• The Dance of Love
• The Kiss
• The Letter
• The Long Haul
• The Love Bugs
• The Miracle of Love
• The Mood for Love
• The Sweet Taste of Love
• The Time for Love
• Thinking about you
• Thinking of You
• This Day Forward
• This Feeling
• Til the End of Time
• Till Morning's Light
• Till Morninig's Light
• Times Are Hard, I Luv U
• To New Spouse
• Together Again
• Together You and I
• Touched by Love
• True Love
• Trunk Full Of Love
• Twice Blest
• Twilight Paradise
• Two of a Kind
• Unique Love
• Unmatchable Beauty
• Until the Day
• Vacation Love
• Waiting for You
• Want to Meet?
• Want You to Know
• We Are Different
• We Have Walked
• We're a Perfect Fit
• When I look at you
• When I'm With You
• When You Fall in Love
• Why I Love You
• Wild Nights--Wild Nights
• Will You?
• Window of Beauty
• Wine and Roses
• Wish I Could Tell You
• Wish Upon a Star
• With All My Love
• With All of My Heart
• With This Ring
• Without Your Love
• Won't you dance with me
• Words I Write
• Worthy of You
• Wrapped in Your Arms
• Wrapped Up
• You %20 Me
• You and I
• You and I Forever
• You Are My Guiding Star
• You are out of this world
• You Asked Me Why
• You Brighten My Day
• You Lucky Duck!
• You Rock Me!
• You Were Worth the Wait
• You're My Hero
• You're so Far Away
• You're Soo kissable
• You're the One
• Your Love Has Opened
• Your Silly Smile

Message body: {blank}

Attachment: {any of the following}
• Flash Postcard.exe
• Greeting Card.exe
• Greeting Postcard.exe
• Postcard.exe

It spoofs the From field of an email message by using the following list of common names followed by a spoofed domain name:

  • Aldora
  • Alysia
  • Amorita
  • Anita
  • April
  • Aretina
  • Barbra
  • Becky
  • Bella
  • Bettina
  • Blenda
  • Briana
  • Bridget
  • Caitlin
  • Camille
  • Carla
  • Carmen
  • Chelsea
  • Clarissa
  • Damita
  • Danielle
  • Daria
  • Diana
  • Donna
  • Doris
  • Ebony
  • Eliza
  • Emily
  • Erika
  • Evelyn
  • Faith
  • Gilda
  • Gloria
  • Haley
  • Helga
  • Holly
  • Idona
  • Isabel
  • Ivana
  • Ivory
  • Janet
  • Jewel
  • Joanna
  • Julie
  • Juliet
  • Kacey
  • Kassia
  • Katrina
  • Laura
  • Linda
  • Lolita
  • Melody
  • Nadia
  • Naomi
  • Natalie
  • Nicole
  • Olivia
  • Pamela
  • Peggy
  • Queen
  • Rachel
  • Sharon
  • Silver
  • Valda
  • Valora
  • Vanessa
  • Vicky
  • Violet
  • Vivian
  • Wendy
  • Willa
  • Xandra
  • Xenia
  • Xylia
  • Zenia
  • Zilya

Notably, it avoids sending messages to email addresses that contain any of the following strings:

  • .gov
  • .mil
  • microsoft

Process Termination

This worm terminates processes that contain any of the following strings:

  • anti
  • avg
  • avp
  • blackice
  • f-pro
  • firewall
  • hijack
  • lockdown
  • mcafee
  • msconfig
  • nav
  • nod32
  • rav
  • reged
  • spybot
  • taskmgr
  • troja
  • viru
  • vsmon
  • zonea

The said strings are mostly related to antivirus and security applications. The said routine allows this worm to avoid easy detection and consequent removal.

Other Details

This worm creates the mutex klllekkdkkd to ensure that only one instance of itself is running in memory.

Affected Platforms

This worm runs on Windows 98, ME, NT, 2000, XP, and Server 2003.

Analysis By: Vincent R. Cabuag

Revision History:

First pattern file version: 4.199.00
First pattern file release date: Jan 21, 2007
 
Jan 22, 2007 - Modified Malware Report
Mar 15, 2007 - Modified Malware Report

SOLUTION


Minimum scan engine version needed: 8.000

Pattern file needed: 5.543.00

Pattern release date: Sep 15, 2008


Important note: The "Minimum scan engine" refers to the earliest Trend Micro scan engine version guaranteed to detect this threat. However, Trend Micro strongly recommends that you update to the latest version in order to get comprehensive protection. Download the latest scan engine here.

Solution:

AUTOMATIC REMOVAL INSTRUCTIONS

MANUAL REMOVAL INSTRUCTIONS

Note: To fully remove all associated malware, perform the clean solutions for the following:

Identifying the Malware Program

To remove this malware, first identify the malware program.

  1. Scan your computer with your Trend Micro antivirus product.
  2. NOTE the path and file name of all files detected as WORM_NUWAR.CQ.

Trend Micro customers need to download the latest virus pattern file before scanning their computer. Other users can use Housecall, the Trend Micro online virus scanner.

Terminating the Malware Program

Since this malware terminates the Windows Task Manager, it is necessary to use third party process viewers such as Process Explorer. You will need the name(s) of the file(s) detected earlier.

  1. Download Process Explorer.
  2. Extract the contents of the compressed (ZIP) file to a location of your choice.
  3. Execute Process Explorer by double-clicking procexp.exe.
  4. In the Process Explorer window, locate the malware file(s) detected earlier.
  5. Right-click one of the detected files, then click Kill Process Tree.
  6. Do the same for all detected malware files in the list of running processes.
  7. Close Process Explorer.

*NOTE: On computers running all Windows platforms, if the process you are looking for is not in the list displayed by Process Explorer, continue with the next solution procedure, noting additional instructions. If the malware process is in the list displayed by Process Explorer, but you are unable to terminate it, restart your computer in safe mode.

Editing the Registry

This malware modifies the computer's registry. Users affected by this malware may need to modify or delete specific registry keys or entries. For detailed information regarding registry editing, please refer to the following articles from Microsoft:

  1. HOW TO: Backup, Edit, and Restore the Registry in Windows 95, Windows 98, and Windows ME
  2. HOW TO: Backup, Edit, and Restore the Registry in Windows NT 4.0
  3. HOW TO: Backup, Edit, and Restore the Registry in Windows 2000
  4. HOW TO: Back Up, Edit, and Restore the Registry in Windows XP and Server 2003

Removing Autostart Entries from the Registry

Removing autostart entries from the registry prevents the malware from executing at startup.

If the registry entries below are not found, the malware may not have executed as of detection. If so, proceed to the succeeding solution set.

  1. Open Registry Editor. Click Start>Run, type REGEDIT, then press Enter.
  2. In the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SOFTWARE>Microsoft>
    Windows>CurrentVersion>Run
  3. In the right panel, locate and delete the entry:
    agent = "%System%\alsys.exe"
    (Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, and C:\Windows\System32 on Windows XP and Server 2003.)
  4. In the left panel, double-click the following:
    HKEY_CURRENT_USER>Software>Microsoft>
    Windows>CurrentVersion>Run
  5. In the right panel, locate and delete the entry:
    agent = "%System%\alsys.exe"

Restoring Modified Entry from the Registry

  1. Still in Registry Editor, in the left panel, double-click the following:
    HKEY_LOCAL_MACHINE>SYSTEM>CurrentControlSet>
    Services>SharedAccess
  2. In the right panel, locate the entry:
    Start = "3"
  3. The aforementioned entry is user-defined. It has the following parameters:
    • 2 (sets the service to automatic)
    • 3 (sets the service to manual)
    • 4 (disables the service)
  4. Right-click on the value name and choose Modify. Change the value data to the preferred parameter.
  5. Close Registry Editor.

Important Windows ME/XP Cleaning Instructions

Users running Windows ME and XP must disable System Restore to allow full scanning of infected computers.

Users running other Windows versions can proceed with the succeeding solution set(s).

Running Trend Micro Antivirus

If you are currently running in safe mode, please restart your computer normally before performing the following solution.

Scan your computer with Trend Micro antivirus and delete files detected as WORM_NUWAR.CQ. To do this, Trend Micro customers must download the latest virus pattern file and scan their computer. Other Internet users can use HouseCall, the Trend Micro online virus scanner.

For product-specific solutions, please refer to Solution 1034294 of the Trend Micro Knowledge Base.


Trend Micro offers best-of-breed antivirus and content-security solutions for your corporate network, small and medium business, mobile device or home PC.