Content

W32/Nuwar@MM!A3FF8EE4

Type
Virus
SubType
-
Discovery Date
07/07/2008
Length
117760
Minimum DAT
5333 (07/07/2008)
Updated DAT
5333 (07/07/2008)
Minimum Engine
5.2.00
Description Added
07/07/2008
Description Modified
07/07/2008 8:11 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
File Namefirework.exe
McAfee DetectionW32/Nuwar@MM
Length117,760 bytes
CRC32A3FF8EE4
MD575C05ED8E4C64A81098C6EC3DD3240DD
SHA1161D4577585DE9CDA0D8C2273043976C015A1BE4

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)i-worm/nuwar.u
Microsoftbackdoor:win32/nuwar.gen!d
SymantecTrojan.Peacomm
Trend MicroTROJ_DLOAD.HD

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies Memory of Other Processes
High
Enumerates running Processes
Medium
Creates Registry Keys and Data values persistent on OS Reboot
Low
Writes Executable in the Windows Folder
Low

Other detections that have been observed.

File NameMcAfee Supported
c:\windows\msserv.exe
W32/Nuwar@MM

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\msserv.config
    • %WINDIR%\msserv.exe
      • %WINDIR%\temp\perflib_perfdata_1cc.dat

        • The following registry elements have been changed:

      • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
        • msserv = c:\windows\msserv.exe

        • Symptoms

        This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

        Method of Infection

        Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

        Removal

        AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

        Additional Windows ME/XP removal considerations

        Variants

        Variants

          N/A

        All Information

        Overview -

        This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

        Characteristics

        Characteristics -

        File PropertyProperty Value
        File Namefirework.exe
        McAfee DetectionW32/Nuwar@MM
        Length117,760 bytes
        CRC32A3FF8EE4
        MD575C05ED8E4C64A81098C6EC3DD3240DD
        SHA1161D4577585DE9CDA0D8C2273043976C015A1BE4

        Other Common Detection Aliases

        Company NameDetection Name
        AVG (GriSoft)i-worm/nuwar.u
        Microsoftbackdoor:win32/nuwar.gen!d
        SymantecTrojan.Peacomm
        Trend MicroTROJ_DLOAD.HD

        Avert® Labs has observed the following system activities:

        ActivityRisk Level
        Modifies Memory of Other Processes
        		High
        Enumerates running Processes
        		Medium
        Creates Registry Keys and Data values persistent on OS Reboot
        		Low
        Writes Executable in the Windows Folder
        		Low

        Other detections that have been observed.

        File NameMcAfee Supported
        c:\windows\msserv.exe
        		W32/Nuwar@MM

        This sample can be identified by the following symptoms.

        System Changes

        These are general defaults for typical path variables. (Although they may differ, these examples are common.):
        %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
        %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
        %ProgramFiles% = \Program Files

        The following files have been added to the system:

      • %WINDIR%\msserv.config
        • %WINDIR%\msserv.exe
          • %WINDIR%\temp\perflib_perfdata_1cc.dat

            • The following registry elements have been changed:

          • HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run\
            • msserv = c:\windows\msserv.exe

            • Symptoms

            Symptoms -

            This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

            Method of Infection

            Method of Infection -

            Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

            Removal -

            Removal -

            AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

            Additional Windows ME/XP removal considerations

            Variants

            Variants -

              N/A