Content

W32/Nuwar@MM!F6D2E5FF

Type
Virus
SubType
-
Discovery Date
06/29/2008
Length
119296
Minimum DAT
5327 (06/27/2008)
Updated DAT
5327 (06/27/2008)
Minimum Engine
5.2.00
Description Added
06/29/2008
Description Modified
06/29/2008 9:53 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Namemylove.exe
McAfee DetectionW32/Nuwar@MM
Length119,296 bytes
CRC32F6D2E5FF
MD55379948A761570BF86AD4D4387AA3F8A
SHA1D9374E4FC3B545CF0C087EB11F516714A3F79E9A

Other Common Detection Aliases

Company NameDetection Name
Microsoftbackdoor:win32/nuwar.gen!d
SymantecTrojan.Peacomm

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Enumerates running Processes
Medium
Creates Registry Keys and Data values persistent on OS Reboot
Low
Writes Executable in the Windows Folder
Low

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\msvecurity.exe
W32/Nuwar@MM

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\msvecurity.config
    • %WINDIR%\msvecurity.exe
      • %WINDIR%\temp\perflib_perfdata_1cc.dat

        • The following registry elements have been changed:

      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
        • msvecurity = c:\windows\msvecurity.exe

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Namemylove.exe
        McAfee DetectionW32/Nuwar@MM
        Length119,296 bytes
        CRC32F6D2E5FF
        MD55379948A761570BF86AD4D4387AA3F8A
        SHA1D9374E4FC3B545CF0C087EB11F516714A3F79E9A

        Other Common Detection Aliases

        Company NameDetection Name
        Microsoftbackdoor:win32/nuwar.gen!d
        SymantecTrojan.Peacomm

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Enumerates running Processes
        		Medium
        Creates Registry Keys and Data values persistent on OS Reboot
        		Low
        Writes Executable in the Windows Folder
        		Low

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\msvecurity.exe
        		W32/Nuwar@MM

        This sample can be identified by the following symptoms.

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\msvecurity.config
        • %WINDIR%\msvecurity.exe
          • %WINDIR%\temp\perflib_perfdata_1cc.dat

            • The following registry elements have been changed:

          • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
            • msvecurity = c:\windows\msvecurity.exe

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A