Threat behavior
Trojan:Win32/Nuwar.gen is generic detection for a family of Trojan droppers that install a distributed peer-to-peer (P2P) downloader Trojan which typically downloads a copy of a mass-mailing worm component.
The email worm component does the following:
- Drops a file with a random name into the directory in which it is executed.
- This file creates a driver in the Windows system folder (by default, on Windows XP and Vista, this folder is C:\Windows\System32. The dropped file is usually named wincom32.sys.
- This driver contains the main payload functionality of the worm, and is used to inject an embedded dll into running processes which enlists the computer in a private peer-to-peer (p2p) network.
- The injected dll drops an initialization file, typically named wincom32.ini, in the Windows system folder which contains its network peer information. This file is detected as Worm:Win32/Nuwar!ini.
- The driver is added as a service to run whenever Windows starts. The service is typically named 'wincom32'
- On Windows XP or earlier, the driver will stealth references to this driver so that the driver and its service cannot be seen.
Email Characteristics
To obtain addresses in order to spread, Worm:Win32/Nuwar enumerates the first 30000 files under 122k on all fixed and remote drives. The worm does not use domains containing 'microsoft' or domains ending in .gov or .mil. The worm performs DNS queries on the email address domains to check their legitimacy. The worm will spoof the sender address to be a randomly chosen name from a list from the yahoo.com domain. The message body will be blank. The subject line of the email generally uses fictitious and incendiary topics, for example:
-
-
230 dead as storm batters Europe
-
USA Missle Strike: Iran War just have started
-
Naked teens attack home director
The email includes an executable (.EXE) attachment which may use on of the following file names:
- More.exe
-
Read More.exe
-
Click Here.exe
-
Click Me.exe
-
Read Me.exe
-
Movie.exe
-
News.exe
-
Video.exe
Trojan:Win32/Nuwar.gen attempts to stop processes with process or window names containing substrings typically related to various security-related software products.
Prevention
