ALIASES:

Nuwar

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 DAMAGE POTENTIAL:
 DISTRIBUTION POTENTIAL:
 REPORTED INFECTION:

  • Threat Type: Worm

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Propagates via email, Infects files

First spotted in 2006, NUWAR malware spread across systems via mass mailing copies of itself as an attachment. Its worm variants contain its own Simple Mail Transfer Protocol (SMTP) engine to send email containing a copy if itself as an attachment. The messages are then sent to email addresses which the worm harvests from infected systems.

Later NUWAR malware are Trojans and rootkits that spread via spammed email messages. The spammed messages use fake news in its topics.

In 2007, STORM malware paired up with a NUWAR variant to create an endless loop of infection. The loop starts with a SMALL malware that downloads other files, among them a NUWAR worm. The NUWAR worm, in turn, drops the same SMALL malware that downloaded it. Hence, the endless loop.

NUWAR malware also are known to have rootkit capabilities, effectively hiding processes and files related to NUWAR. This routine makes detection and removal difficult.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Drops files

Installation

This worm drops the following file(s)/component(s):

  • %System%\svcp.csv

(Note: %System% is the Windows system folder, which is usually C:\Windows\System on Windows 98 and ME, C:\WINNT\System32 on Windows NT and 2000, or C:\Windows\System32 on Windows XP and Server 2003.)

It drops the following copies of itself into the affected system:

  • %Windows%\asam.exe

(Note: %Windows% is the Windows folder, which is usually C:\Windows or C:\WINNT.)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
asam = "%Windows%\asam.exe"

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\
List
%Windows%\asam.exe = "%Windows%\asam.exe:Enabled:enable"

Other Details

This worm connects to the following possibly malicious URL:

  • http://{BLOCKED}.{BLOCKED}.3.32/aff/cntr.php
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.htm
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.gif
  • http://{BLOCKED}.{BLOCKED}.127.114/{random characters}.jpg