W32/Nuwar@MM!C08CE381

Content

W32/Nuwar@MM!C08CE381

Type: Virus
SubType: E-mail
Discovery Date: 04/01/2008
Length: 139,776 bytes
Minimum DAT: 5264 (04/01/2008)
Updated DAT: 5264 (04/01/2008)
Minimum Engine: 5.1.00
Description Added: 04/01/2008
Description Modified: 04/01/2008 9:58 PM (PT)

Risk Assessment

Corporate User: Low
Home User: Low

Tab Navigation

Characteristics

This variant is used in the April Fool's Day spamming using the filenames foolsday.exe, funny.exe and kickme.exe.

W32/Nuwar@MM!C08CE381 will connect to a list of peers via UDP and will connect to SMTP servers to send out emails. It will listen on UDP port 26464 for connections from peers.

The following registry keys are modified:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\aromis.exe: "C:\WINDOWS\aromis.exe:*:Enabled:enable"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer: "time.windows.com,time.nist.gov"

The following files are dropped:

%WINDIR%\aromis.config (file containing peer information)
%WINDIR%\aromis.exe

(where %WINDIR% is the Windows directory e.g. C:\WINDOWS)

For other characteristics of W32/Nuwar@MM, please refer to the following link:

http://vil.nai.com/vil/content/v_140835.htm

Symptoms

Presence of previously mentioned registry keys.
Presence of previously mentioned files.
Presence of unexpected UDP and SMTP network connections.

Method of Infection

The virus is spread via a link through email.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

N/A

All Information

Overview -

This variant is used in the April Fool's Day spamming using the filenames foolsday.exe, funny.exe and kickme.exe.

W32/Nuwar@MM!C08CE381 will connect to a list of peers via UDP and will connect to SMTP servers to send out emails. It will listen on UDP port 26464 for connections from peers.

Characteristics

Characteristics -

This variant is used in the April Fool's Day spamming using the filenames foolsday.exe, funny.exe and kickme.exe.

W32/Nuwar@MM!C08CE381 will connect to a list of peers via UDP and will connect to SMTP servers to send out emails. It will listen on UDP port 26464 for connections from peers.

The following registry keys are modified:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\aromis.exe: "C:\WINDOWS\aromis.exe:*:Enabled:enable"
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\NtpServer: "time.windows.com,time.nist.gov"

The following files are dropped:

%WINDIR%\aromis.config (file containing peer information)
%WINDIR%\aromis.exe

(where %WINDIR% is the Windows directory e.g. C:\WINDOWS)

For other characteristics of W32/Nuwar@MM, please refer to the following link:

http://vil.nai.com/vil/content/v_140835.htm

Symptoms

Symptoms -

Presence of previously mentioned registry keys.
Presence of previously mentioned files.
Presence of unexpected UDP and SMTP network connections.

Method of Infection

Method of Infection -

The virus is spread via a link through email.

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A

McAfee > Theat Center > Virus Detail Page

Navigation

Utility Navigation

Content