Nuwar's new avatar!
The ecard worm – also known as Nuwar, Storm Worm, W32/Zhelatin – has changed its strategy again. Now, the gang behind ecard worm is trying to encash the NFL fever. Here's a screenshot of the latest ecard spam mail:
As we can see, the mail claims to provide details about NFL football games. And, when we visit the link given in mail, we are presented with a fake webpage that shows schedules of NFL games. Here's a screenshot of one such webpage:
Surprisingly, there's no drive-by-download this time! But ALL hyperlinks present in that page point to a file named
tracker.exeseems to be slightly different from the old variants (
video.exeetc.) and detections are poor at the time of this writing. Only 9 out of 32 AVs at VirusTotal managed to detect this malware:
File tracker.exe received on 09.08.2007 22:46:16 (CET)
CAT-QuickHeal --- (Suspicious) - DNAScan
eSafe --- Suspicious Trojan/Worm
eTrust-Vet --- Win32/Sintun.AF
F-Secure --- Tibs.gen134
Microsoft --- TrojanDropper:Win32/Nuwar.gen!avkill
Norman --- Tibs.gen134
Sophos --- Mal/Dorf-D
Sunbelt --- VIPRE.Suspicious
Webwasher-Gateway --- Win32.Malware.gen (suspicious)
File size: 140521 bytes
Sunbelt info: VIPRE.Suspicious is a generic detection for potential threats that are deemed suspicious through heuristics.
Tracker.exe, on execution, drops
spooldr.sysand also patches
tcpip.sysin a similar way as mentioned in a previous post here.