WORM_NUWAR.AOS - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_NUWAR.AOS

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Zhelatin.dj (Kaspersky), Downloader-ASH.gen (McAfee), Trojan.Packed.13 (Symantec), TR/Small.DBY.CK (Avira), Mal/EncPk-E (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows Server 2003

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Description:

Barely three weeks into the new year, as the storm "Kyrill" ravaged Central Europe, another "storm" brewed. The new storm was a deluge of spammed email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.

To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network..

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_NUWAR.AOS Behavior Diagram

Malware Overview

This worm arrives contained in a password-protected RAR archive file attached to spammed email messages. The said email messages can have any of the following subject lines:

Spyware Activity Detected!
Spyware Alert!
Spyware Detected!
Virus Activity Detected!
Virus Alert!
Virus Detected!
Worm Activity Detected!
Worm Alert!
Worm Detected!

The password to the archive file is in the .GIF file that serves as the message body. Trend Micro detects the malicious archive file as WORM_NUWAR.RAR.

This worm spreads by attaching a copy of itself to an email message, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send email messages without using any mailing application, such as MS Outlook.

It spoofs the From field of an email message by using a list of common names followed by a spoofed domain name. The said action tricks users into thinking that the email message comes from a trusted source.

It drops files that are detected by Trend Micro as TROJ_SMALL.EDW. As a result, routines of the dropped Trojan are also exhibited on the affected system.

This worm disables Internet Connection Sharing (ICS), thereby preventing other machines in the network from accessing Internet resources. In addition, it disables Windows Firewall to lower the security and open the affected machine to further attacks.

Moreover, it terminates certain processes, most of which are related to antivirus and security applications. The said action prevents its easy detection and consequent removal.

For additional information about this threat, see:
Solution
Technical Details

Description created: Apr. 25, 2007 8:36:44 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.