W32/Nuwar@MM

Content

W32/Nuwar@MM

Type: Virus
SubType: Email
Discovery Date: 11/02/2006
Length: Varies
Minimum DAT: 4887 (11/02/2006)
Updated DAT: 5760 (10/03/2009)
Minimum Engine: 5.1.00
Description Added: 11/02/2006
Description Modified: 07/30/2008 3:25 PM (PT)

Risk Assessment

Corporate User: Low-Profiled
Home User: Low-Profiled

Tab Navigation

Characteristics

-- Update July 30th, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.itnews.com.au/News/81475,storm-spoofs-fbi.aspx and http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm.

The malware author uses a theme about FBI and Facebook. The spamned emails contain a link to a video, which would cause downloading an executable file, often called fbi_facebook.exe.

Upon the execution of the downloaded file, the following hidden files are dropped in %Windir% folder.

%Windir%\glok+7efb-1342.sys(filename is random)
%Windir%\glok+serv.config

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

A hidden service with random service name is added:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GLOK+7EFB-1342
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+7EFB-1342f
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\glok+7efb-1342
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glok+7efb-1342

The SDDT rootkit technique is used to hook the following function:

ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwEnumerateKey

The malware keeps scanning randomly IP addresses at some UDP ports. It also attempts to send spam emails.

For instance, one of spammed email have the subject as :

"Every night will be the night of pleasure if you take the right antiED's."

and email body as:

"Best doctors recommend this. http://[removed]"

-- Update July 09th, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.scmagazineus.com/Fake-Storm-Worm-blast-claims-World-War-III-is-here/article/112248/ and http://www.absolutegadget.com/200807091462/news/personal-computing/malware-gang-exploits-middle-east-tension.html

The malware author uses a war theme in the Middle East between Iran and the United States. The spamned emails contain a link to a video that purports to show the first minutes of the beginning of World War III. The file which is ultimately downloaded is an executable file, often called iran_occupation.exe or Form.exe.

For more information on this tactic, please see the Avert Blog.

-- Update June 19, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2008/06/19/bogus_beijing_quake_malware_ruse/

The notirious authors of this threat have adopted a new social engineering techniue. W32/Nuwar@MM spam messages now contain fake news about an earthquake in Beijing and how it may affect the upcoming Olympic games.

The subject line may include one of the following:

A new deadly catastrophe in China
A new massive quake struck China
A new powerful disaster in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese government keeps back the real number of earthquake victims
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Deadly earthquake shook China again
Destruction in China continue
Dozens killed in China earthquake
Earth tremors in China is going on
Massive death toll feared in Chinese earthquake
Million dead in Chinese quake
Recent earthquake in china took a heavy toll
Strongest earthquake hits Beijing
The list of Chinese victims is growing
The massive disaster leveled the center of Beijing to the ground
The most powerful quake hits China
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China

The body text may include one of the above strings with URL. For example:

A new massive quake struck China http://[removed]

These emails try to trick the users into following a link which leads to a webpage as shown below.

There is no video, infact this is just an image which looks like a embedded video player and clicking on it leads to W32/Nuwar@MM executables which are typically named beijing.exe.

On execution, it creates a copy of itself in the %Windows% directory as msvupdater.exe. It then adds itself under the run registry entry to ensure that it gets control on system reboot.

HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Run

It also modifies the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer:

-- Update April 1st, 2008 --

Recent waves of W32/Nuwar@MM spammings purport to be April Fool's Day greetings, containing a link to a website. The file which is ultimately downloaded is an executable file, often called funny.exe, kickme.exe, or foolsday.exe.

For more information on this most recent wave, please see the Avert Blog.

-- Update February 13th, 2008 --

Recent waves of W32/Nuwar@MM spammings purport to be Valentine's Day greetings, containing a link to a website. The file which is ultimately downloaded is an executable file, often called valentine.exe, sony.exe, or shift.exe.

For more information on this most recent wave, please see the Avert Blog.

-- Update August 28th, 2007 --

A new trend in W32/Nuwar has been observed with a email containing a link to a YouTube video. The legitimate-looking link points to a malicious page which runs a cocktail of exploits, when successful, will infect the victim's machine with the W32/Nuwar virus. For more information, you can read about it at Avert Blog.

-- Update August 14th, 2007 --

Recent waves of W32/Nuwar@MM spammings purport to be from an electronic greeting card company, containing a link to a personal greeting. The file which is ultimately downloaded is an executable file, often called ecard.exe.

For more information on this tactic, please see the Avert Blog.

-- Update April 24th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today. It arrives in a password-protected RAR file with the password contained in the body of the mail.

The RAR filename may be one of the following:

bugfix-####.rar
hotfix-####.rar
patch-####.rar
removal-####.rar

(where #### is a random four or five-digit number)

The RAR file is detected as W32/Nuwar@MM!rar with DAT 5017.

-- Update April 12th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today. It arrives in a password-protected ZIP file with the password contained in the body of the mail.

The subject line may include one of the following:

Worm Alert!
Worm Detected!
Virus Alert!
Trojan Detected!
Worm Activity Detected!
Spyware Detected!
Virus Activity Detected!

The GIF filename may include one of the following:

UrgentNotice.gif
AutoComplaint.gif
AbuseReport.gif
Complaint.gif
AbuseNotice.gif

The ZIP filename may be one of the following:

patch-####.zip
bugfix-####.zip
hotfix-####.zip
removal-####.zip

(where #### is a random four or five-digit number)

The SYS file that it drops is detected with the 5006 DATs and higher as Downloader-BAI.sys.gen.a.

-- Update April 9, 2007 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979&intsrc=hm_list"

-- Update April 8th, 2007 --

New spamming of W32/Nuwar@MM droppers were discovered this weekend. The actual malware that are embedded in these droppers already proactively detected as Downloader-BAI since DAT version 4964 (February 15th, 2007); and Downloader-BAI.sys.gen (rootkit) since DAT version 4950 (January 26th, 2007).

These spammed e-mails may containg contradicting subject headers such as:

Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
USA Declares War on Iran

Containing a file attachment with one of the following filename(s):

More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

Like earlier variants, these malware are remotely controlled via a P2P network, using a hard-coded list of 256 peers dropped as a file in %Windir%\System32\wincom32.ini.

(Where %Windir% is the Windows folder; e.g. C:\Windows)

-- Update December 30th, 2006 --

New spamming of W32/Nuwar@MM variants were discovered this weekend with varying subject headers such as:

Wishing Your Happiness!
Annual Fun Forecast!
Wishing You Happy New Year !
Sparkling Happiness and Good Times!
Fun Filled New Year!
Baby New Year !
May Your Dreams Come True!
Happiness and Success!
Happy 2007!
Warmes Wishes For New Year!
Happiness In Everything!
New Year..Happy Year!
Welcome 2007!
Fun 2007!

.. and filenames such as:

Greeting Postcard.exe
Greeting Card.exe
postcard.exe

As W32/Nuwar@MM embeds a downloader component (Downloader-ARL), spam content may vary as it receives updates from the malicious download site(s).

-- Update December 28th, 2006 --

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body:

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

When run, postcard.exe drops Downloader-ARL with a random filename and contacts 81.177.x.x, which is consistent with other variants. postcard.exe was briefly detected as a Downloader-ARL variant earlier.

-- Update November 08, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2006/11/08/nuclear_war_worm/

W32/Nuwar@MM is a mass mailing worm which attempts to send copies of itself based on email information harvested from the host system. The emails it sends are detected as W32/Zhelatin.gen!eml.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Installation

Upon execution, this worm creates copies of itself extensively across the target machine. The copies have randomly generated 8-character alpha names ending in a ".t" file extension, and are created throughout the directory hierarchy. These copies also have the "hidden" file attribute set.

It also copies itself to the Windows System directory:

%SysDir%\wservice.exe (15,947 bytes)

It also drops a randomly named file, detected as Downloader-ARL, in the directory the worm was originally run from:

%CurrentFolder%\[random].exe (5,707 bytes)

The following registry keys are created to load the virus at startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

The following registry entry is also set in order to disable the Internet Connection Firewall on Windows XP:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sharedaccess
\Start="4"

The worm also creates a mutex named "Kusyyyy" in order to ensure only one copy of the worm is run at a time.

Symptoms

The worm will terminate applications based on window name. Applications using the following text in their window name will be terminated within a few seconds of launch:

mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
Registry Editor

Method of Infection

Mail Propagation

The virus arrives in an email message as follows:

From: (The from address may be spoofed using addresses such as the following)

Zenia
Zoe
Zilya
Xenia
Xylia
Xandra
Willa
Wendy
Vicky
Vivian
Violet
Valora
Vanessa
Valda
Ula
Uma
Sharon
Silver
Rosa
Ruby
Rita
Rae
Rachel
Queen
Peggy
Pamela
Olivia
Olga
Nicole
Naomi
Natalie
Nora
Nina
Nova
Nadia
Maia
Mary
Melody
Mimi
Myra
Linda
Lisa
Lolita
Lynn
Laura
Lara
Kara
Kassia
Kyle
Kali
Kacey
Katrina
Janet
Jewel
Joanna
Juliet
Julie
Ida
Idona
Isabel
Iris
Ivana
Ivory
Helga
Holly
Haley
Gloria
Gilda
Gale
Faith
Emily
Evelyn
Eve
Erika
Eliza
Eden
Ebony
Donna
Dora
Doris
Diana
Danielle
Daria
Damita
Camille
Cara
Carla
Carmen
Clarissa
Chelsea
Caitlin
Bettina
Blenda
Bridget
Briana
Bella
Becky
Barbra
Aldora
Alysia
Amorita
Aretina
Ara
April
Anita

The worm will finish constructing the spoofed email addresses by using domain names found on the system.

Subject: (Taken from the following list)

White house news!
URG
ATTN TO EVERYBODY!
READ AND RESEND ASAP!
Incredible news!
NEWS!
ATTN
URGENT NEWS!

Message Body: (Taken from the following list)

3rd Glogal War Just Started!!! Read more in file!
Putin and Bush starts NUCLEAR WAR! Check the file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
Nuclear War in Russia! Read news in file!
Nuclear WAR in USA! Read attached file!
President Putin dead! Read more in attached file!
President Bush DEAD! Read attached file!

Attachment name: (Taken from the following list)

open.exe
truth.exe
war.exe
last.exe
about me.exe
a.exe
never.exe
latest news.exe
read me.exe

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

W32/Nuwar@MM is a mass mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer. It also drops a file which may be detected as either Downloader-ARL or Downloader-BAI. The emails it sends are detected as W32/Zhelatin.gen!eml.

Aliases

Email-Worm.Win32.Glowa (Kaspersky)

I-Worm/Nuwar (Grisoft)

Storm Worm

Trojan.Peacomm.D (Symantec)

W32.Mixor@mm (Symantec)

W32/Nuwar.worm (Panda)

W32/Nuwar@mm (Fortinet)

Win32/Luder!generic (CA)

Win32/Nuwar.gen (ESET)

WORM_NUWAR (Trend)

Characteristics

Characteristics -

-- Update July 30th, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.itnews.com.au/News/81475,storm-spoofs-fbi.aspx and http://www.fbi.gov/pressrel/pressrel08/stormworm073008.htm.

The malware author uses a theme about FBI and Facebook. The spamned emails contain a link to a video, which would cause downloading an executable file, often called fbi_facebook.exe.

Upon the execution of the downloaded file, the following hidden files are dropped in %Windir% folder.

%Windir%\glok+7efb-1342.sys(filename is random)
%Windir%\glok+serv.config

(where %WinDir% is the default Windows directory, for example C:\WINNT, C:\WINDOWS etc.)

A hidden service with random service name is added:

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_GLOK+7EFB-1342
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Enum\Root\LEGACY_GLOK+7EFB-1342f
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\glok+7efb-1342
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\glok+7efb-1342

The SDDT rootkit technique is used to hook the following function:

ZwEnumerateValueKey
ZwQueryDirectoryFile
ZwEnumerateKey

The malware keeps scanning randomly IP addresses at some UDP ports. It also attempts to send spam emails.

For instance, one of spammed email have the subject as :

"Every night will be the night of pleasure if you take the right antiED's."

and email body as:

"Best doctors recommend this. http://[removed]"

-- Update July 09th, 2008 --

For more information on this tactic, please see the Avert Blog.

-- Update June 19, 2008 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at: http://www.theregister.co.uk/2008/06/19/bogus_beijing_quake_malware_ruse/

The subject line may include one of the following:

A new deadly catastrophe in China
A new massive quake struck China
A new powerful disaster in China
China is paralyzed by new earthquake
China's most deadly earthquake
Chinese government keeps back the real number of earthquake victims
Chinese people are horrified by new earthquake
Countless victims of earthquake in China
Deadly catastrophe in Chinese capital
Deadly earthquake shook China again
Destruction in China continue
Dozens killed in China earthquake
Earth tremors in China is going on
Massive death toll feared in Chinese earthquake
Million dead in Chinese quake
Recent earthquake in china took a heavy toll
Strongest earthquake hits Beijing
The list of Chinese victims is growing
The massive disaster leveled the center of Beijing to the ground
The most powerful quake hits China
The most powerful quake hits China
Toll mounts in China earthquake
Unprecedented earthquake in China

The body text may include one of the above strings with URL. For example:

A new massive quake struck China http://[removed]

These emails try to trick the users into following a link which leads to a webpage as shown below.

There is no video, infact this is just an image which looks like a embedded video player and clicking on it leads to W32/Nuwar@MM executables which are typically named beijing.exe.

On execution, it creates a copy of itself in the %Windows% directory as msvupdater.exe. It then adds itself under the run registry entry to ensure that it gets control on system reboot.

HKEY_CURRENT_USER\\Software\Microsoft\Windows\CurrentVersion\Run

It also modifies the following registry entry:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer:

-- Update April 1st, 2008 --

For more information on this most recent wave, please see the Avert Blog.

-- Update February 13th, 2008 --

For more information on this most recent wave, please see the Avert Blog.

-- Update August 28th, 2007 --

-- Update August 14th, 2007 --

For more information on this tactic, please see the Avert Blog.

-- Update April 24th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today. It arrives in a password-protected RAR file with the password contained in the body of the mail.

The RAR filename may be one of the following:

bugfix-####.rar
hotfix-####.rar
patch-####.rar
removal-####.rar

(where #### is a random four or five-digit number)

The RAR file is detected as W32/Nuwar@MM!rar with DAT 5017.

-- Update April 12th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today. It arrives in a password-protected ZIP file with the password contained in the body of the mail.

The subject line may include one of the following:

Worm Alert!
Worm Detected!
Virus Alert!
Trojan Detected!
Worm Activity Detected!
Spyware Detected!
Virus Activity Detected!

The GIF filename may include one of the following:

UrgentNotice.gif
AutoComplaint.gif
AbuseReport.gif
Complaint.gif
AbuseNotice.gif

The ZIP filename may be one of the following:

patch-####.zip
bugfix-####.zip
hotfix-####.zip
removal-####.zip

(where #### is a random four or five-digit number)

The SYS file that it drops is detected with the 5006 DATs and higher as Downloader-BAI.sys.gen.a.

-- Update April 9, 2007 --

-- Update April 8th, 2007 --

These spammed e-mails may containg contradicting subject headers such as:

Missle Strike: The USA kills more then 1000 Iranian citizens
Missle Strike: The USA kills more then 10000 Iranian citizens
Missle Strike: The USA kills more then 20000 Iranian citizens
USA Missle Strike: Iran War just have started
Israel Just Have Started World War III
USA Just Have Started World War III
Iran Just Have Started World War III
USA Declares War on Iran

Containing a file attachment with one of the following filename(s):

More.exe
Read More.exe
Click Here.exe
Click Me.exe
Read Me.exe
Movie.exe
News.exe
Video.exe

Like earlier variants, these malware are remotely controlled via a P2P network, using a hard-coded list of 256 peers dropped as a file in %Windir%\System32\wincom32.ini.

(Where %Windir% is the Windows folder; e.g. C:\Windows)

-- Update December 30th, 2006 --

New spamming of W32/Nuwar@MM variants were discovered this weekend with varying subject headers such as:

Wishing Your Happiness!
Annual Fun Forecast!
Wishing You Happy New Year !
Sparkling Happiness and Good Times!
Fun Filled New Year!
Baby New Year !
May Your Dreams Come True!
Happiness and Success!
Happy 2007!
Warmes Wishes For New Year!
Happiness In Everything!
New Year..Happy Year!
Welcome 2007!
Fun 2007!

.. and filenames such as:

Greeting Postcard.exe
Greeting Card.exe
postcard.exe

As W32/Nuwar@MM embeds a downloader component (Downloader-ARL), spam content may vary as it receives updates from the malicious download site(s).

-- Update December 28th, 2006 --

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body:

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

-- Update November 08, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2006/11/08/nuclear_war_worm/

W32/Nuwar@MM is a mass mailing worm which attempts to send copies of itself based on email information harvested from the host system. The emails it sends are detected as W32/Zhelatin.gen!eml.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Installation

It also copies itself to the Windows System directory:

%SysDir%\wservice.exe (15,947 bytes)

It also drops a randomly named file, detected as Downloader-ARL, in the directory the worm was originally run from:

%CurrentFolder%\[random].exe (5,707 bytes)

The following registry keys are created to load the virus at startup.

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
"UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

The following registry entry is also set in order to disable the Internet Connection Firewall on Windows XP:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sharedaccess
\Start="4"

The worm also creates a mutex named "Kusyyyy" in order to ensure only one copy of the worm is run at a time.

Symptoms

Symptoms -

The worm will terminate applications based on window name. Applications using the following text in their window name will be terminated within a few seconds of launch:

mcafee
taskmgr
hijack
f-pro
lockdown
msconfig
firewall
blackice
avg
vsmon
zonea
spybot
nod32
reged
rav
nav
avp
troja
viru
anti
Registry Editor

Method of Infection

Method of Infection -

Mail Propagation

The virus arrives in an email message as follows:

From: (The from address may be spoofed using addresses such as the following)

Zenia
Zoe
Zilya
Xenia
Xylia
Xandra
Willa
Wendy
Vicky
Vivian
Violet
Valora
Vanessa
Valda
Ula
Uma
Sharon
Silver
Rosa
Ruby
Rita
Rae
Rachel
Queen
Peggy
Pamela
Olivia
Olga
Nicole
Naomi
Natalie
Nora
Nina
Nova
Nadia
Maia
Mary
Melody
Mimi
Myra
Linda
Lisa
Lolita
Lynn
Laura
Lara
Kara
Kassia
Kyle
Kali
Kacey
Katrina
Janet
Jewel
Joanna
Juliet
Julie
Ida
Idona
Isabel
Iris
Ivana
Ivory
Helga
Holly
Haley
Gloria
Gilda
Gale
Faith
Emily
Evelyn
Eve
Erika
Eliza
Eden
Ebony
Donna
Dora
Doris
Diana
Danielle
Daria
Damita
Camille
Cara
Carla
Carmen
Clarissa
Chelsea
Caitlin
Bettina
Blenda
Bridget
Briana
Bella
Becky
Barbra
Aldora
Alysia
Amorita
Aretina
Ara
April
Anita

The worm will finish constructing the spoofed email addresses by using domain names found on the system.

Subject: (Taken from the following list)

White house news!
URG
ATTN TO EVERYBODY!
READ AND RESEND ASAP!
Incredible news!
NEWS!
ATTN
URGENT NEWS!

Message Body: (Taken from the following list)

3rd Glogal War Just Started!!! Read more in file!
Putin and Bush starts NUCLEAR WAR! Check the file!
GLOBAL NUCLEAR WAR JUST STARTED! News in file.
Nuclear War in Russia! Read news in file!
Nuclear WAR in USA! Read attached file!
President Putin dead! Read more in attached file!
President Bush DEAD! Read attached file!

Attachment name: (Taken from the following list)

open.exe
truth.exe
war.exe
last.exe
about me.exe
a.exe
never.exe
latest news.exe
read me.exe

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content

W32/Nuwar@MM

Type

SubType

Discovery Date

Length

Minimum DAT

Updated DAT

Minimum Engine

Description Added

Description Modified

Risk Assessment

Tab Navigation

Overview

Aliases

Characteristics

Symptoms

Method of Infection

Removal

Variants

Variants

All Information

Overview -

Aliases

Characteristics

Characteristics -

Symptoms

Symptoms -

Method of Infection

Method of Infection -

Removal -

Removal -

Variants

Variants -

Threat Resources

Footer