TrendLabs Malware Blog
Glossary
TrendWatch
TrendLabs Twitter
WORM_NUWAR.AQL
Overview
Solution

Malware type: Worm

Aliases: Tibs-Packed (McAfee), Trojan.Packed.13 (Symantec), Worm/Zhelatin.IP.4 (Avira), Mal/Dorf-A (Sophos),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows XP, Server 2003

Encrypted: No

Overall risk rating:

Reported infections:

Damage potential:

 Medium

Distribution potential:

 Low

Infection Channel 1 : Spammed via email

Description: 

This worm is part of a complex attack initiated by the NUWAR family. The attack employs multiple components that work together to achieve a common goal. Read a comprehensive description of the malware family here: War Against NUWAR: Fighting the Latest Profit-driven, Multi-component, Focused Attack.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_NUWAR.AQL Behavior Diagram

Malware Overview

This worm may be downloaded from remote site(s) by other malware.

It arrives via spammed email messages that contain links where this worm can be downloaded.

These email messages use a certain subject line and message details. Once the said links are clicked, the user is then redirected to a Web site where another malware can be executed to exploit the affected system. A copy of this worm is then downloaded and executed on the successfully exploited system.

It drops certain files, including a .SYS file detected by Trend Micro as TROJ_TIBS.ART. As a result, the routines of the dropped Trojan may be exhibited on the system. The said .SYS file is used by this worm for its rootkit and process termination routines.

It also modifies certain files, allowing the execution its dropped component at every system startup.

It terminates several processes, if found running in memory.

For additional information about this threat, see:
Solution
Technical Details

Description created: Sep. 6, 2007 4:40:05 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.