WORM_NUWAR.CQ - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_NUWAR.CQ

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Trojan.Peacomm(Symantec), Mal/HckPk-A(Sophos), Email-Worm.Win32.Poca.b(Kaspersky), TR/Small.DBY.Q(Avira), W32/Tibs.RG (exact)(F-Prot), Downloader-BAI(McAfee)

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 98, ME, NT, 2000, XP, Server 2003

Encrypted: Yes

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Infection Channel 1 : Propagates via email

Description:

Barely three weeks into the new year, as the storm "Kyrill" ravaged over central Europe, another "storm" brewed. The new storm was a deluge of spam email messages that promised to bring information about Europe's most severe winter storm since 1999, with subject lines such as "230 dead as storm batters Europe", among others.

That is how this Trojan, arriving as attachment to the said email messages, came to be dubbed the "Storm" malware. But this Trojan is more than just a malware with a clever social engineering technique. Tagging WORM_NUWAR.CQ along, it created a partnership that staged a complex attack.

To read a comprehensive article about the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem, click here: TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network.

To get a one-glance comprehensive view of the behavior of this malware, refer to the Behavior Diagram shown below.

WORM_NUWAR.CQ Behavior Diagram

Malware Overview

This worm arrives as an attachment to mass-mailed email messages. It may also arrive as a file downloaded by other malware.

It spreads by attaching a copy of itself to an email message, which it sends using its own Simple Mail Transfer Protocol (SMTP) engine. Having its own SMTP engine allows it to send messages without using any mailing application, such as MS Outlook.

It spoofs the From field of an email message by using a list of common names followed by a spoofed domain name. Users may be tricked into thinking that the email message is from a trusted source.

Upon execution, it drops a copy of itself in the Windows system folder. It also drops a randomly named file detected by Trend Micro as TROJ_SMALL.EDW.

This worm searches for .EXE and .SCR files on the affected system where it inserts a code that programs the target files to automatically execute a copy of this worm. Modified .EXE and .SCR files are detected by Trend Micro as PE_LUDER.A.

Note that this worm avoids accessing files protected by the Windows File Protection feature to avoid triggering pop-up warnings that can notify the affected user of its presence on the system.

It terminates processes, most of which are related to antivirus and security applications. The said routine allows this worm to avoid easy detection.

In addition, it disables Internet Connection Sharing (ICS) and Windows Firewall by modifying a related registry entry.

For additional information about this threat, see:
Solution
Technical Details

Description created: Jan. 21, 2007 5:06:56 PM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.