Content

W32/Nuwar@MM!E80F07A1

Type
Virus
SubType
-
Discovery Date
09/07/2008
Length
83968
Minimum DAT
5378 (09/05/2008)
Updated DAT
5378 (09/05/2008)
Minimum Engine
5.3.00
Description Added
09/07/2008
Description Modified
09/07/2008 3:57 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

File PropertyProperty Value
FileNameback.exe
McAfee DetectionW32/Nuwar@MM
Length83,968 bytes
CRCE80F07A1
MD5728B05272276A70C6AFA52C2088D934E
SHA1C00300B33E2B3E4D953A2723512E6A6B8C8DBF0B

Other Common Detection Aliases

Company NameDetection Name
AVG (GriSoft)i-worm/nuwar.w
Eseta variant of Win32/Nuwar.DH worm
KasperskyEmail-Worm.Win32.Zhelatin.agg
microsoftbackdoor:win32/nuwar.a
normanw32/tibs.gen227
SymantecTrojan.Peacomm
Trend MicroTROJ_NUWAR.DDJ

Avert® Labs has observed the following system activities:

ActivityRisk Level
Modifies memory of other processes
Critical
Enumerates running processes
Medium
Writes executable in the windows folder
Low
Creates registry keys and data values to persist on OS reboot
Informational

Other detections that have been observed.

FileNameMcAfee Supported
%WINDIR%\neos.exeW32/Nuwar@MM

This sample can be identified by the following symptoms.

System Changes

These are general defaults for typical path variables. (Although they may differ, these examples are common.):
%WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
%SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
%ProgramFiles% = \Program Files

The following files have been added to the system:

  • %WINDIR%\crock+mock.config
  • %WINDIR%\neos.exe
  • HKEY_LOCAL_MACHINE\perflib_perfdata_214.dat

    • The following registry elements have been changed:

  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\run\
    • neos = c:\windows\neos.exe

    • Symptoms

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

    Removal

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants

      N/A

    All Information

    Overview -

    This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then further propagate the virus. Although many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

    Characteristics

    Characteristics -

    File PropertyProperty Value
    FileNameback.exe
    McAfee DetectionW32/Nuwar@MM
    Length83,968 bytes
    CRCE80F07A1
    MD5728B05272276A70C6AFA52C2088D934E
    SHA1C00300B33E2B3E4D953A2723512E6A6B8C8DBF0B

    Other Common Detection Aliases

    Company NameDetection Name
    AVG (GriSoft)i-worm/nuwar.w
    Eseta variant of Win32/Nuwar.DH worm
    KasperskyEmail-Worm.Win32.Zhelatin.agg
    microsoftbackdoor:win32/nuwar.a
    normanw32/tibs.gen227
    SymantecTrojan.Peacomm
    Trend MicroTROJ_NUWAR.DDJ

    Avert® Labs has observed the following system activities:

    ActivityRisk Level
    Modifies memory of other processes
    		Critical
    Enumerates running processes
    		Medium
    Writes executable in the windows folder
    		Low
    Creates registry keys and data values to persist on OS reboot
    		Informational

    Other detections that have been observed.

    FileNameMcAfee Supported
    %WINDIR%\neos.exeW32/Nuwar@MM

    This sample can be identified by the following symptoms.

    System Changes

    These are general defaults for typical path variables. (Although they may differ, these examples are common.):
    %WinDir% = \WINDOWS (Windows 9x/ME/XP/Vista), \WINNT (Windows NT/2000)
    %SystemDir% = \WINDOWS\SYSTEM (Windows 98/ME), \WINDOWS\SYSTEM32 (Windows XP/Vista), \WINNT\SYSTEM32 (Windows NT/2000)
    %ProgramFiles% = \Program Files

    The following files have been added to the system:

  • %WINDIR%\crock+mock.config
  • %WINDIR%\neos.exe
  • HKEY_LOCAL_MACHINE\perflib_perfdata_214.dat

    • The following registry elements have been changed:

  • hkey_users\s-1-5-21-1202660629-602609370-839522115-500\software\microsoft\windows\currentversion\run\
    • neos = c:\windows\neos.exe

    • Symptoms

    Symptoms -

    This symptoms of this detection are the files, registry, and network communication referenced in the characteristics section.

    Method of Infection

    Method of Infection -

    Viruses are self-replicating. They are often spread by a network or by transmission to a removable medium such as a removable disk, writable CD, or USB drive. Viruses may also spread by infecting files on a network file system or a file system that is shared by another computer.

    Removal -

    Removal -

    AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

    Additional Windows ME/XP removal considerations

    Variants

    Variants -

      N/A