Threat behavior
Spammer:Win32/Nuwar.B is a component of the Win32/Nuwar Trojan family, and is used to relay e-mails. E-mail messages are sent in various formats, commonly containing a hyperlink to a remote Web site hosting Win32/Nuwar Trojan files.
Spammer:Win32/Nuwar.B is commonly installed in one of these locations:
%WinDir%\spooldr.exe
<system folder>\taskdir.exe
Additional components of Spammer:Win32/Nuwar.B may exist as any of these files:
<system folder>\adir.dll
<system folder>\taskdir.dll
<system folder>\zlbw.dll (Clean file used for decompression)
Upon installation, Spammer:Win32/Nuwar.B contacts remote Web sites to receive compressed e-mail configuration information, which includes email body content and recipients. The information is then decompressed, interpreted and the infected machine becomes a spam relay.
Later variants drop a kernel-mode driver as <system folder>\spooldr.sys, which is used to protect the spammer component from removal and to disable common firewalls.
The kernel-mode driver attempts to prevent any executable image with the following substrings from executing:
<system folder>\vsdatant.sys
<system folder>\drivers\bcfilter.sys
<system folder>\drivers\bcftdi.sys
<system folder>\drivers\bc_hassh_f.sys
<system folder>\drivers\bc_ip_f.sys
<system folder>\drivers\bc_ngn.sys
<system folder>\drivers\bc_pat_f.sys
<system folder>\drivers\bc_prt_f.sys
<system folder>\drivers\bc_tdi_f.sys
%ProgramFiles%\zone labs\zonealarm\zclient.exe
%ProgramFiles%\agnitum\outpost firewall\kernel\filtnt.sys
%ProgramFiles%\agnitum\outpost firewall\kernel\sandbox.sys
%ProgramFiles%\mcafee.com\personal firewall\data\drv\mpfirewall.sys
The kernel-mode driver terminates the following processes:
zlclient.exe
outpost.exe
The kernel-mode driver hides files and folders beginning with "spooldr" by hooking the ZwQueryDirectoryFile API, as well as denying access to tcpip.sys, by hooking ZwCreateFile.
Related Malware
Prevention