Win32/Nuwar [Threat Name] go to Threat

Win32/Nuwar.A [Threat Variant Name]

Category worm
Size 15497 B
Detection created Nov 03, 2006
Detection database version 1851
Aliases W32.Mixor.C@mm (Symantec)
Short description

Win32/Nuwar.A is a worm that spreads via e-mail. It can also infect executable files and RAR archives.

Installation

When executed, the worm copies itself into the %system% folder using the following name:

  • wservice.exe

Another executable with a random name is dropped.


Size of the file is 5707 B .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "UpdateService" = "%system%\­wservice.exe"
  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run]
    • "UpdateService" = "%system%\­wservice.exe"
Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .hta
  • .htm
  • .txt
  • .wab

Addresses containing the following strings are avoided:

  • .gov
  • .mil
  • microsoft

Some of the following strings may be used to form the sender address:

  • Aldora
  • Alysia
  • Amorita
  • Anita
  • April
  • Aretina
  • Barbra
  • Becky
  • Bella
  • Bettina
  • Blenda
  • Briana
  • Bridget
  • Caitlin
  • Camille
  • Cara
  • Carla
  • Carmen
  • Clarissa
  • Damita
  • Danielle
  • Daria
  • Diana
  • Donna
  • Dora
  • Doris
  • Ebony
  • Eden
  • Eliza
  • Emily
  • Erika
  • Evelyn
  • Faith
  • Gale
  • Gilda
  • Gloria
  • Haley
  • Helga
  • Holly
  • Chelsea
  • Idona
  • Iris
  • Isabel
  • Ivana
  • Ivory
  • Janet
  • Jewel
  • Joanna
  • Julie
  • Juliet
  • Kacey
  • Kali
  • Kara
  • Kassia
  • Katrina
  • Kyle
  • Lara
  • Laura
  • Linda
  • Lisa
  • Lolita
  • Lynn
  • Maia
  • Mary
  • Melody
  • Mimi
  • Myra
  • Nadia
  • Naomi
  • Natalie
  • Nicole
  • Nina
  • Nora
  • Nova
  • Olga
  • Olivia
  • Pamela
  • Peggy
  • Queen
  • Rachel
  • Rita
  • Rosa
  • Ruby
  • Sharon
  • Silver
  • Valda
  • Valora
  • Vanessa
  • Vicky
  • Violet
  • Vivian
  • Wendy
  • Willa
  • Xandra
  • Xenia
  • Xylia
  • Zenia
  • Zilya

Subject of the message is one of the following:

  • White house news!
  • ATTN TO EVERYBODY!
  • READ AND RESEND ASAP!
  • Incredible news!
  • NEWS!
  • ATTN
  • URGENT NEWS!

Body of the message is one of the following:

  • 3rd Glogal War Just Started!!! Read more in file!
  • GLOBAL NUCLEAR WAR JUST STARTED! News in file.
  • Nuclear War in Russia! Read news in file!
  • Nuclear WAR in USA! Read attached file!
  • President Bush DEAD! Read attached file!
  • President Putin dead! Read more in attached file!
  • Putin and Bush starts NUCLEAR WAR! Check the file!

The attachment is an executable of the worm.


Its filename is one of the following:

  • open.exe
  • truth.exe
  • war.exe
  • last.exe
  • about me.exe
  • a.exe
  • never.exe
  • latest news.exe
  • read me.exe
Executable file infection

The worm searches for executables with one of the following extensions:

  • .exe
  • .scr

Several other criteria are applied when choosing a file to infect.


When infecting a file, the worm creates a copy of its executable file.


Its name is random.


The host file is modified in a way that causes the worm to be executed prior to running the original code.


The size of the inserted code is 155 B .


Total length of the files is unchanged.

Other information

The following programs are terminated:

  • anti
  • blackice
  • f-pro
  • firewall
  • hijack
  • lockdown
  • mcafee
  • msconfig
  • nod32
  • reged
  • spybot
  • taskmgr
  • troja
  • viru
  • vsmon
  • zonea

The worm tries to download a file from the Internet.


The file is then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.