Content

W32/Nuwar@MM

Type
Virus
SubType
Email
Discovery Date
11/02/2006
Length
Varies
Minimum DAT
4887 (11/02/2006)
Updated DAT
5296 (05/15/2008)
Minimum Engine
5.1.00
Description Added
11/02/2006
Description Modified
04/01/2008 3:34 PM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update February 13th, 2008 --

Recent waves of W32/Nuwar@MM spammings purport to be Valentine's Day greetings, containing a link to a website.  The file which is ultimately downloaded is an executable file, often called valentine.exe, sony.exe, or shift.exe.

For more information on this most recent wave, please see the Avert Blog.

-- Update August 28th, 2007 --

A new trend in W32/Nuwar has been observed with a email containing a link to a YouTube video. The legitimate-looking link points to a malicious page which runs a cocktail of exploits, when successful, will infect the victim's machine with the W32/Nuwar virus. For more information, you can read about it at Avert Blog.

-- Update August 14th, 2007 --

Recent waves of W32/Nuwar@MM spammings purport to be from an electronic greeting card company, containing a link to a personal greeting.  The file which is ultimately downloaded is an executable file, often called ecard.exe.

For more information on this tactic, please see the Avert Blog.

-- Update April 24th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today.  It arrives in a password-protected RAR file with the password contained in the body of the mail.

The RAR filename may be one of the following:

bugfix-####.rar
hotfix-####.rar
patch-####.rar
removal-####.rar

(where #### is a random four or five-digit number)

The RAR file is detected as W32/Nuwar@MM!rar with DAT 5017.

-- Update April 12th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today.  It arrives in a password-protected ZIP file with the password contained in the body of the mail.

The subject line may include one of the following:

  • Worm Alert!
  • Worm Detected!
  • Virus Alert!
  • Trojan Detected!
  • Worm Activity Detected!
  • Spyware Detected!
  • Virus Activity Detected!

The GIF filename may include one of the following:

  • UrgentNotice.gif
  • AutoComplaint.gif
  • AbuseReport.gif
  • Complaint.gif
  • AbuseNotice.gif

The ZIP filename may be one of the following:

  • patch-####.zip
  • bugfix-####.zip
  • hotfix-####.zip
  • removal-####.zip

(where #### is a random four or five-digit number)

The SYS file that it drops is detected with the 5006 DATs and higher as Downloader-BAI.sys.gen.a.

-- Update April 9, 2007 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979&intsrc=hm_list"

-- Update April 8th, 2007 --

New spamming of W32/Nuwar@MM droppers were discovered this weekend. The actual malware that are embedded in these droppers already proactively detected as Downloader-BAI since DAT version 4964 (February 15th, 2007); and Downloader-BAI.sys.gen (rootkit) since DAT version 4950 (January 26th, 2007).

These spammed e-mails may containg contradicting subject headers such as:

  • Missle Strike: The USA kills more then 1000 Iranian citizens
  • Missle Strike: The USA kills more then 10000 Iranian citizens
  • Missle Strike: The USA kills more then 20000 Iranian citizens
  • USA Missle Strike: Iran War just have started
  • Israel Just Have Started World War III
  • USA Just Have Started World War III
  • Iran Just Have Started World War III
  • USA Declares War on Iran

Containing a file attachment with one of the following filename(s):

  • More.exe
  • Read More.exe
  • Click Here.exe
  • Click Me.exe
  • Read Me.exe
  • Movie.exe
  • News.exe
  • Video.exe

Like earlier variants, these malware are remotely controlled via a P2P network, using a hard-coded list of 256 peers dropped as a file in %Windir%\System32\wincom32.ini.

(Where %Windir% is the Windows folder; e.g. C:\Windows)

-- Update December 30th, 2006 --

New spamming of W32/Nuwar@MM variants were discovered this weekend with varying subject headers such as:

  • Wishing Your Happiness!
  • Annual Fun Forecast!
  • Wishing You Happy New Year !
  • Sparkling Happiness and Good Times!
  • Fun Filled New Year!
  • Baby New Year !
  • May Your Dreams Come True!
  • Happiness and Success!
  • Happy 2007!
  • Warmes Wishes For New Year!
  • Happiness In Everything!
  • New Year..Happy Year!
  • Welcome 2007!
  • Fun 2007!

.. and filenames such as:

  • Greeting Postcard.exe
  • Greeting Card.exe
  • postcard.exe

As W32/Nuwar@MM embeds a downloader component (Downloader-ARL), spam content may vary as it receives updates from the malicious download site(s).

-- Update December 28th, 2006 --

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body: 

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

When run, postcard.exe drops Downloader-ARL with a random filename and contacts 81.177.x.x, which is consistent with other variants. postcard.exe was briefly detected as a Downloader-ARL variant earlier.

-- Update November 08, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2006/11/08/nuclear_war_worm/

W32/Nuwar@MM is a mass mailing worm which attempts to send copies of itself based on email information harvested from the host system.  The emails it sends are detected as W32/Zhelatin.gen!eml.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Installation

Upon execution, this worm creates copies of itself extensively across the target machine.  The copies have randomly generated 8-character alpha names ending in a ".t" file extension, and are created throughout the directory hierarchy.  These copies also have the "hidden" file attribute set. 

It also copies itself to the Windows System directory:

  • %SysDir%\wservice.exe (15,947 bytes)

It also drops a randomly named file, detected as Downloader-ARL, in the directory the worm was originally run from:

  • %CurrentFolder%\[random].exe (5,707 bytes)

The following registry keys are created to load the virus at startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

The following registry entry is also set in order to disable the Internet Connection Firewall on Windows XP:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sharedaccess
    \Start="4"

The worm also creates a mutex named "Kusyyyy" in order to ensure only one copy of the worm is run at a time.

Symptoms

The worm will terminate applications based on window name.  Applications using the following text in their window name will be terminated within a few seconds of launch:

  • mcafee
  • taskmgr
  • hijack
  • f-pro
  • lockdown
  • msconfig
  • firewall
  • blackice
  • avg
  • vsmon
  • zonea
  • spybot
  • nod32
  • reged
  • rav
  • nav
  • avp
  • troja
  • viru
  • anti
  • Registry Editor

Method of Infection

Mail Propagation

The virus arrives in an email message as follows:

From: (The from address may be spoofed using addresses such as the following)

  • Zenia
  • Zoe
  • Zilya
  • Xenia
  • Xylia
  • Xandra
  • Willa
  • Wendy
  • Vicky
  • Vivian
  • Violet
  • Valora
  • Vanessa
  • Valda
  • Ula
  • Uma
  • Sharon
  • Silver
  • Rosa
  • Ruby
  • Rita
  • Rae
  • Rachel
  • Queen
  • Peggy
  • Pamela
  • Olivia
  • Olga
  • Nicole
  • Naomi
  • Natalie
  • Nora
  • Nina
  • Nova
  • Nadia
  • Maia
  • Mary
  • Melody
  • Mimi
  • Myra
  • Linda
  • Lisa
  • Lolita
  • Lynn
  • Laura
  • Lara
  • Kara
  • Kassia
  • Kyle
  • Kali
  • Kacey
  • Katrina
  • Janet
  • Jewel
  • Joanna
  • Juliet
  • Julie
  • Ida
  • Idona
  • Isabel
  • Iris
  • Ivana
  • Ivory
  • Helga
  • Holly
  • Haley
  • Gloria
  • Gilda
  • Gale
  • Faith
  • Emily
  • Evelyn
  • Eve
  • Erika
  • Eliza
  • Eden
  • Ebony
  • Donna
  • Dora
  • Doris
  • Diana
  • Danielle
  • Daria
  • Damita
  • Camille
  • Cara
  • Carla
  • Carmen
  • Clarissa
  • Chelsea
  • Caitlin
  • Bettina
  • Blenda
  • Bridget
  • Briana
  • Bella
  • Becky
  • Barbra
  • Aldora
  • Alysia
  • Amorita
  • Aretina
  • Ara
  • April
  • Anita

The worm will finish constructing the spoofed email addresses by using domain names found on the system.

Subject: (Taken from the following list)

  • White house news!
  • URG
  • ATTN TO EVERYBODY!
  • READ AND RESEND ASAP!
  • Incredible news!
  • NEWS!
  • ATTN
  • URGENT NEWS!

Message Body: (Taken from the following list)

  • 3rd Glogal War Just Started!!! Read more in file!
  • Putin and Bush starts NUCLEAR WAR! Check the file!
  • GLOBAL NUCLEAR WAR JUST STARTED! News in file.
  • Nuclear War in Russia! Read news in file!
  • Nuclear WAR in USA! Read attached file!
  • President Putin dead! Read more in attached file!
  • President Bush DEAD! Read attached file!

Attachment name: (Taken from the following list)

  • open.exe
  • truth.exe
  • war.exe
  • last.exe
  • about me.exe
  • a.exe
  • never.exe
  • latest news.exe
  • read me.exe

Removal

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

-- Update April 1st, 2008 --

Recent waves of W32/Nuwar@MM spammings purport to be April Fool's Day greetings, containing a link to a website.  The file which is ultimately downloaded is an executable file, often called funny.exe, kickme.exe, or foolsday.exe.

For more information on this most recent wave, please see the Avert Blog.

W32/Nuwar@MM is a mass mailing worm that uses its own SMTP engine to send itself to the email addresses that it harvests on the infected computer.  It also drops a file which may be detected as either Downloader-ARL or Downloader-BAI.  The emails it sends are detected as W32/Zhelatin.gen!eml.

Aliases

  • Email-Worm.Win32.Glowa (Kaspersky)
  • I-Worm/Nuwar (Grisoft)
  • Storm Worm
  • W32.Mixor@mm (Symantec)
  • W32/Nuwar.worm (Panda)
  • W32/Nuwar@mm (Fortinet)
  • Win32/Luder!generic (CA)
  • Win32/Nuwar.gen (ESET)
  • WORM_NUWAR (Trend)

Characteristics

Characteristics -

-- Update February 13th, 2008 --

Recent waves of W32/Nuwar@MM spammings purport to be Valentine's Day greetings, containing a link to a website.  The file which is ultimately downloaded is an executable file, often called valentine.exe, sony.exe, or shift.exe.

For more information on this most recent wave, please see the Avert Blog.

-- Update August 28th, 2007 --

A new trend in W32/Nuwar has been observed with a email containing a link to a YouTube video. The legitimate-looking link points to a malicious page which runs a cocktail of exploits, when successful, will infect the victim's machine with the W32/Nuwar virus. For more information, you can read about it at Avert Blog.

-- Update August 14th, 2007 --

Recent waves of W32/Nuwar@MM spammings purport to be from an electronic greeting card company, containing a link to a personal greeting.  The file which is ultimately downloaded is an executable file, often called ecard.exe.

For more information on this tactic, please see the Avert Blog.

-- Update April 24th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today.  It arrives in a password-protected RAR file with the password contained in the body of the mail.

The RAR filename may be one of the following:

bugfix-####.rar
hotfix-####.rar
patch-####.rar
removal-####.rar

(where #### is a random four or five-digit number)

The RAR file is detected as W32/Nuwar@MM!rar with DAT 5017.

-- Update April 12th, 2007 --

A new wave of spammings of W32/Nuwar@MM has been discovered today.  It arrives in a password-protected ZIP file with the password contained in the body of the mail.

The subject line may include one of the following:

  • Worm Alert!
  • Worm Detected!
  • Virus Alert!
  • Trojan Detected!
  • Worm Activity Detected!
  • Spyware Detected!
  • Virus Activity Detected!

The GIF filename may include one of the following:

  • UrgentNotice.gif
  • AutoComplaint.gif
  • AbuseReport.gif
  • Complaint.gif
  • AbuseNotice.gif

The ZIP filename may be one of the following:

  • patch-####.zip
  • bugfix-####.zip
  • hotfix-####.zip
  • removal-####.zip

(where #### is a random four or five-digit number)

The SYS file that it drops is detected with the 5006 DATs and higher as Downloader-BAI.sys.gen.a.

-- Update April 9, 2007 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:
http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9015979&intsrc=hm_list"

-- Update April 8th, 2007 --

New spamming of W32/Nuwar@MM droppers were discovered this weekend. The actual malware that are embedded in these droppers already proactively detected as Downloader-BAI since DAT version 4964 (February 15th, 2007); and Downloader-BAI.sys.gen (rootkit) since DAT version 4950 (January 26th, 2007).

These spammed e-mails may containg contradicting subject headers such as:

  • Missle Strike: The USA kills more then 1000 Iranian citizens
  • Missle Strike: The USA kills more then 10000 Iranian citizens
  • Missle Strike: The USA kills more then 20000 Iranian citizens
  • USA Missle Strike: Iran War just have started
  • Israel Just Have Started World War III
  • USA Just Have Started World War III
  • Iran Just Have Started World War III
  • USA Declares War on Iran

Containing a file attachment with one of the following filename(s):

  • More.exe
  • Read More.exe
  • Click Here.exe
  • Click Me.exe
  • Read Me.exe
  • Movie.exe
  • News.exe
  • Video.exe

Like earlier variants, these malware are remotely controlled via a P2P network, using a hard-coded list of 256 peers dropped as a file in %Windir%\System32\wincom32.ini.

(Where %Windir% is the Windows folder; e.g. C:\Windows)

-- Update December 30th, 2006 --

New spamming of W32/Nuwar@MM variants were discovered this weekend with varying subject headers such as:

  • Wishing Your Happiness!
  • Annual Fun Forecast!
  • Wishing You Happy New Year !
  • Sparkling Happiness and Good Times!
  • Fun Filled New Year!
  • Baby New Year !
  • May Your Dreams Come True!
  • Happiness and Success!
  • Happy 2007!
  • Warmes Wishes For New Year!
  • Happiness In Everything!
  • New Year..Happy Year!
  • Welcome 2007!
  • Fun 2007!

.. and filenames such as:

  • Greeting Postcard.exe
  • Greeting Card.exe
  • postcard.exe

As W32/Nuwar@MM embeds a downloader component (Downloader-ARL), spam content may vary as it receives updates from the malicious download site(s).

-- Update December 28th, 2006 --

A new variant was found in spammed e-mails resembling the following content:

From:{spoofed e-mail address}
To: {your e-mail adddress}
Subject: Happy New Year!
Body: 

{blank}

Attachment: postcard.exe (W32/Nuwar@MM)

When run, postcard.exe drops Downloader-ARL with a random filename and contacts 81.177.x.x, which is consistent with other variants. postcard.exe was briefly detected as a Downloader-ARL variant earlier.

-- Update November 08, 2006 --

The risk assessment of this threat has been updated to Low-Profiled due to media attention at:

http://www.theregister.co.uk/2006/11/08/nuclear_war_worm/

W32/Nuwar@MM is a mass mailing worm which attempts to send copies of itself based on email information harvested from the host system.  The emails it sends are detected as W32/Zhelatin.gen!eml.

The characteristics of this worm, with regard to file names, folders created, port numbers used, etc, will differ from one variant to another. Hence, this is a general description.

Installation

Upon execution, this worm creates copies of itself extensively across the target machine.  The copies have randomly generated 8-character alpha names ending in a ".t" file extension, and are created throughout the directory hierarchy.  These copies also have the "hidden" file attribute set. 

It also copies itself to the Windows System directory:

  • %SysDir%\wservice.exe (15,947 bytes)

It also drops a randomly named file, detected as Downloader-ARL, in the directory the worm was originally run from:

  • %CurrentFolder%\[random].exe (5,707 bytes)

The following registry keys are created to load the virus at startup.

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
    "UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
    "UpdateService"="C:\\WINDOWS\\system32\\wservice.exe"

The following registry entry is also set in order to disable the Internet Connection Firewall on Windows XP:

  • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Sharedaccess
    \Start="4"

The worm also creates a mutex named "Kusyyyy" in order to ensure only one copy of the worm is run at a time.

Symptoms

Symptoms -

The worm will terminate applications based on window name.  Applications using the following text in their window name will be terminated within a few seconds of launch:

  • mcafee
  • taskmgr
  • hijack
  • f-pro
  • lockdown
  • msconfig
  • firewall
  • blackice
  • avg
  • vsmon
  • zonea
  • spybot
  • nod32
  • reged
  • rav
  • nav
  • avp
  • troja
  • viru
  • anti
  • Registry Editor

Method of Infection

Method of Infection -

Mail Propagation

The virus arrives in an email message as follows:

From: (The from address may be spoofed using addresses such as the following)

  • Zenia
  • Zoe
  • Zilya
  • Xenia
  • Xylia
  • Xandra
  • Willa
  • Wendy
  • Vicky
  • Vivian
  • Violet
  • Valora
  • Vanessa
  • Valda
  • Ula
  • Uma
  • Sharon
  • Silver
  • Rosa
  • Ruby
  • Rita
  • Rae
  • Rachel
  • Queen
  • Peggy
  • Pamela
  • Olivia
  • Olga
  • Nicole
  • Naomi
  • Natalie
  • Nora
  • Nina
  • Nova
  • Nadia
  • Maia
  • Mary
  • Melody
  • Mimi
  • Myra
  • Linda
  • Lisa
  • Lolita
  • Lynn
  • Laura
  • Lara
  • Kara
  • Kassia
  • Kyle
  • Kali
  • Kacey
  • Katrina
  • Janet
  • Jewel
  • Joanna
  • Juliet
  • Julie
  • Ida
  • Idona
  • Isabel
  • Iris
  • Ivana
  • Ivory
  • Helga
  • Holly
  • Haley
  • Gloria
  • Gilda
  • Gale
  • Faith
  • Emily
  • Evelyn
  • Eve
  • Erika
  • Eliza
  • Eden
  • Ebony
  • Donna
  • Dora
  • Doris
  • Diana
  • Danielle
  • Daria
  • Damita
  • Camille
  • Cara
  • Carla
  • Carmen
  • Clarissa
  • Chelsea
  • Caitlin
  • Bettina
  • Blenda
  • Bridget
  • Briana
  • Bella
  • Becky
  • Barbra
  • Aldora
  • Alysia
  • Amorita
  • Aretina
  • Ara
  • April
  • Anita

The worm will finish constructing the spoofed email addresses by using domain names found on the system.

Subject: (Taken from the following list)

  • White house news!
  • URG
  • ATTN TO EVERYBODY!
  • READ AND RESEND ASAP!
  • Incredible news!
  • NEWS!
  • ATTN
  • URGENT NEWS!

Message Body: (Taken from the following list)

  • 3rd Glogal War Just Started!!! Read more in file!
  • Putin and Bush starts NUCLEAR WAR! Check the file!
  • GLOBAL NUCLEAR WAR JUST STARTED! News in file.
  • Nuclear War in Russia! Read news in file!
  • Nuclear WAR in USA! Read attached file!
  • President Putin dead! Read more in attached file!
  • President Bush DEAD! Read attached file!

Attachment name: (Taken from the following list)

  • open.exe
  • truth.exe
  • war.exe
  • last.exe
  • about me.exe
  • a.exe
  • never.exe
  • latest news.exe
  • read me.exe

Removal -

Removal -

All Users :
Use specified engine and DAT files for detection and removal. Delete files which contain this detection.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A