Win32/Nuwar [Threat Name] go to Threat

Win32/Nuwar.M [Threat Variant Name]

Category worm
Size 17559 B
Detection created Dec 09, 2004
Detection database version 944
Short description

Win32/Nuwar.M is a worm that spreads via e-mail.

Installation

When executed, the worm copies itself into the %system% folder using one of the following file names:

  • alsys.exe
  • ppl.exe

Another executable with a random name is dropped.


Size of the file is 6295 B .


In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_CURRENT_USER\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­Agent]
  • [HKEY_LOCAL_MACHINE\­Software\­Microsoft\­Windows\­CurrentVersion\­Run\­Agent]

The entries contain path to the executable of the worm .

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with one of the following extensions:

  • .hta
  • .htm
  • .txt

Addresses from Windows Address Book are used too.


Addresses containing the following strings are avoided:

  • .gov
  • .mil
  • microsoft

Some of the following strings may be used to form the sender address:

  • Aldora
  • Alysia
  • Amorita
  • Anita
  • April
  • Ara
  • Aretina
  • Barbra
  • Becky
  • Bella
  • Bettina
  • Blenda
  • Briana
  • Bridget
  • Caitlin
  • Camille
  • Cara
  • Carla
  • Carmen
  • Clarissa
  • Damita
  • Danielle
  • Daria
  • Diana
  • Donna
  • Dora
  • Doris
  • Ebony
  • Eden
  • Eliza
  • Emily
  • Erika
  • Eve
  • Evelyn
  • Faith
  • Gale
  • Gilda
  • Gloria
  • Haley
  • Helga
  • Holly
  • Chelsea
  • Ida
  • Idona
  • Iris
  • Isabel
  • Ivana
  • Ivory
  • Janet
  • Jewel
  • Joanna
  • Julie
  • Juliet
  • Kacey
  • Kali
  • Kara
  • Kassia
  • Katrina
  • Kyle
  • Lara
  • Laura
  • Linda
  • Lisa
  • Lolita
  • Lynn
  • Maia
  • Mary
  • Melody
  • Mimi
  • Myra
  • Nadia
  • Naomi
  • Natalie
  • Nicole
  • Nina
  • Nora
  • Nova
  • Olga
  • Olivia
  • Pamela
  • Peggy
  • Queen
  • Rae
  • Rachel
  • Rita
  • Rosa
  • Ruby
  • Sharon
  • Silver
  • Ula
  • Uma
  • Valda
  • Valora
  • Vanessa
  • Vicky
  • Violet
  • Vivian
  • Wendy
  • Willa
  • Xandra
  • Xenia
  • Xylia
  • Zenia
  • Zilya
  • Zoe

Subject of the message is the following:

  • Happy New Year!

Body of the message is blank.


The attachment is an executable of the worm.


Its filename is the following:

  • postcard.exe
Other information

The following programs are terminated:

  • anti
  • avg
  • avp
  • blackice
  • f-pro
  • firewall
  • hijack
  • lockdown
  • mcafee
  • msconfig
  • nav
  • nod32
  • rav
  • reged
  • spybot
  • taskmgr
  • troja
  • viru
  • vsmon
  • zonea

The worm tries to download several files from the Internet.


The files are then executed.

Please enable Javascript to ensure correct displaying of this content and refresh this page.