Content

W32/Nuwar@MM!D9FD515C

Type
Virus
SubType
-
Discovery Date
06/20/2008
Length
119808
Minimum DAT
5322 (06/20/2008)
Updated DAT
5322 (06/20/2008)
Minimum Engine
5.2.00
Description Added
06/20/2008
Description Modified
06/20/2008 9:14 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Namebeijing.exe
McAfee DetectionW32/Nuwar@MM
Length119,808 bytes
CRC32D9FD515C
MD51c376967a5183a051e255021c6bbc0fb
SHA1910019B7D3F733BAC0BFFF8C37A8B605C1B3B333

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)i-worm/nuwar.u
Microsoftbackdoor:win32/nuwar.gen!d
SymantecTrojan.Peacomm.D

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Enumerates running Processes
Medium
Creates Registry Keys and Data values persistent on OS Reboot
Low
Writes Executable in the Windows Folder
Low

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\msvupdater.exe
W32/Nuwar@MM

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\msvupdater.config
    • %WINDIR%\msvupdater.exe
      • %WINDIR%\temp\perflib_perfdata_208.dat

        • The following registry elements have been changed:

      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
        • msvupdater = c:\windows\msvupdater.exe

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Namebeijing.exe
        McAfee DetectionW32/Nuwar@MM
        Length119,808 bytes
        CRC32D9FD515C
        MD51c376967a5183a051e255021c6bbc0fb
        SHA1910019B7D3F733BAC0BFFF8C37A8B605C1B3B333

        Other Common Detection Aliases

        Company NameDetection Name
        AVG (GriSoft)i-worm/nuwar.u
        Microsoftbackdoor:win32/nuwar.gen!d
        SymantecTrojan.Peacomm.D

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Enumerates running Processes
        		Medium
        Creates Registry Keys and Data values persistent on OS Reboot
        		Low
        Writes Executable in the Windows Folder
        		Low

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\msvupdater.exe
        		W32/Nuwar@MM

        This sample can be identified by the following symptoms.

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\msvupdater.config
        • %WINDIR%\msvupdater.exe
          • %WINDIR%\temp\perflib_perfdata_208.dat

            • The following registry elements have been changed:

          • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
            • msvupdater = c:\windows\msvupdater.exe

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A