Sunday, September 09, 2007

Nuwar's new avatar!

The ecard worm – also known as Nuwar, Storm Worm, W32/Zhelatin – has changed its strategy again. Now, the gang behind ecard worm is trying to encash the NFL fever. Here's a screenshot of the latest ecard spam mail:

As we can see, the mail claims to provide details about NFL football games. And, when we visit the link given in mail, we are presented with a fake webpage that shows schedules of NFL games. Here's a screenshot of one such webpage:

Surprisingly, there's no drive-by-download this time! But ALL hyperlinks present in that page point to a file named tracker.exe.

The file tracker.exe seems to be slightly different from the old variants (ecard.exe, video.exe etc.) and detections are poor at the time of this writing. Only 9 out of 32 AVs at VirusTotal managed to detect this malware:

File tracker.exe received on 09.08.2007 22:46:16 (CET)
CAT-QuickHeal --- (Suspicious) - DNAScan
eSafe --- Suspicious Trojan/Worm
eTrust-Vet --- Win32/Sintun.AF
F-Secure --- Tibs.gen134
Microsoft --- TrojanDropper:Win32/Nuwar.gen!avkill
Norman --- Tibs.gen134
Sophos --- Mal/Dorf-D
Sunbelt --- VIPRE.Suspicious
Webwasher-Gateway --- Win32.Malware.gen (suspicious)

Additional information
File size: 140521 bytes
MD5: 814fe2cdd86e01a5369def9cd9a13458
SHA1: 4cb7ad77d79286911b1c82c548d7f9e0dcda88d1
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.

Tracker.exe, on execution, drops spooldr.exe, spooldr.sys and also patches tcpip.sys in a similar way as mentioned in a previous post here.


Post a Comment

<< Home