Malware type: Worm

Aliases: Email-Worm.Win32.Zhelatin.ki (Kaspersky), W32/Nuwar@MM (McAfee), Trojan.Peacomm.C (Symantec), TR/Rootkit.Gen (Avira), Troj/Dorf-X (Sophos), Backdoor:WinNT/Nuwar.B!sys (Microsoft)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: No

Description: 

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

Malware Overview

This worm may be dropped by other malware. It may also be downloaded unknowingly by a user when visiting malicious Web sites.

It propagates via email. On spammed email messages purporting to be electronic greeting cards (eCards) sent by contacts known to a target user, this worm includes a link where a copy of this worm can be downloaded. The said eCards supposedly come from legitimate eCard Web sites.

It connects to a Web page that displays an image of a laughing cat to trick users into thinking that it is non-malicious. Below is a screenshot of the said page:

It also modifies certain files. The said routine is done to hamper the availability of a network connection. It also hides files, processes, and folders with certain strings. It does the said routine by using its rootkit capabilities.

In addition, it terminates certain processes, which are related to antivirus and security applications. The said routine allows this worm to execute without being detected.

This worm is capable of downloading an updated copy of itself. Once it downloads an updated copy, it executes said copy on the affected system.

For additional information about this threat, see:
Solution
Technical Details

Description created: Oct. 13, 2007 2:12:17 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.