|
Malware type: Worm
Aliases: Trojan.Packed.13(Symantec), Mal/EncPk-E(Sophos), Email-Worm.Win32.Zhelatin.cs(Kaspersky), TR/Small.DBY.BT(Avira), W32/EmailWorm.IRW (exact)(F-Prot), Downloader-ASH.gen.b(McAfee)
In the wild: Yes
Destructive: No
Language: English
Platform: Windows 98, ME, NT, 2000, XP, Server 2003
Encrypted: No
|
|
Description:
Barely three weeks into the new year, as the storm "Kyrill" ravaged Central Europe, another "storm" brewed. The new storm was a deluge of spammed email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.
That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.
To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here:
TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.. |
To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.
Malware Overview
This worm arrives as attachment to mass-mailed email messages. It spreads by attaching a copy of itself to an email message, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine.
Having its own SMTP engine allows it to send its messages without using any mailing application, such as MS Outlook.
It spoofs the From field of an email message by using a list of common names followed by a spoofed domain name. The said action tricks users into thinking that the email message comes from a trusted source.
Variants of WORM_NUWAR are notorious for their spamming activities, hence, the variety of email details.
It drops a randomly named file in the folder where it is originally executed. It also drops a .SYS file in the Windows system folder. Both dropped files are detected by Trend Micro as TROJ_SMALL.EDW. As a result, malicious routines of the dropped Trojan are exhibited on the affected system.
It creates a mutex to ensure that only one instance of itself is running in memory.
It terminates certain processes, most of which are related to antivirus and security applications. The said action prevents its easy detection and consequent removal.
It disables Internet Connection Sharing (ICS) and Windows Firewall by modifying a related registry entry. The said action allows this worm to continuously execute its routines.
For additional information about this threat, see:
Solution
Technical Details
Description created: Apr. 11, 2007 7:59:37 PM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
