Not So Happy New Year For NUWAR Worm Victims

Minu Sirsalewala • December 23, 2014, 18:48:54 IST

The next time you see a message that says “Happy New Year”, take time to think about whether you really want to open the message. A worm, WORM_NUWAR.AY, detected by Trend Micro as TROJ_TIBS.PE, plants itself into a user’s computer and using its own SMTP engine, sends out e-mails to all of the users’ contacts with the subject “Happy New Year”. Advertisement However a happy new year it may not be, considering, the contents of the e-mail contain a worm, which upon execution, infects the users’ computer, thus allowing the users’ computer to be just another hub for mass mailing, hence, spreading the worm.

Not So Happy New Year For NUWAR Worm Victims

The next time you see a message that says “Happy New Year”, take time to think about whether you really want to open the message.

A worm, WORM_NUWAR.AY, detected by Trend Micro as TROJ_TIBS.PE, plants itself into a user’s computer and using its own SMTP engine, sends out e-mails to all of the users’ contacts with the subject “Happy New Year”.

However a happy new year it may not be, considering, the contents of the e-mail contain a worm, which upon execution, infects the users’ computer, thus allowing the users’ computer to be just another hub for mass mailing, hence, spreading the worm.

Trend Micro believes that this worm is part of a complex attack initiated by the NUWAR family. The attack employs multiple components that work together to achieve a common goal.

The worm gathers target recipients from the Windows Address Book (WAB). It chooses from a list of common user names as the sender name, followed by a spoofed domain name. This routine may trick its target recipients into thinking that it comes from a reliable source.

This worm also terminates processes that contain certain strings such as blackice, firewall, mcafee, msconfig, nod32, reged, taskmgr, troja, zpybot, etc. if found running in memory. Most of the said strings are related to antivirus and security applications, thus allowing this worm to avoid easy detection and consequent removal.

In addition, this worm disables Internet Connection Sharing (ICS), which prevents users within the network where the affected system is connected to share a single Internet connection. The worm also disables Windows Firewall, which makes the system vulnerable to further attacks.

Trend Micro recommends that users first terminate the running malware program, followed by removing registry entries which allow the malware program to appear on startup, and finally, restoring the modified entries, as a solution to this problem.

As of now, Trend micro has seen few infections caused by this worm, however they believe it has medium damage potential, and very high distribution potential, considering this is a mass mailing worm.