 "SonicWALL Deploys Protection Against Nuwar Variant")
Network security vendor SonicWALL has deployed early protection against the rapidly proliferating variant of the Nuwar worm, which is currently spreading via e-mails containing seasonal greetings in the subject line.
The worm spreads via e-mail with the subject line reading “Happy New Year!” The email contains attachments typically named as one of the following: “Greeting Card.exe”, “Greeting Postcard.exe”, “Postcard.exe”, “greeting card.exe”, “greeting postcard.exe”, or “postcard.exe”.
Upon execution, the worm attempts to disable running anti-virus processes and drops a Tibs Trojan on the infected computer system. Following this, it tries to download additional malicious code from the remote website.
Once a computer is infected, it looks for open mail proxies and begins sending e-mail to infect other computers. Here, the worm sends a copy of itself by using its own SMTP engine to the e-mail addresses found in the address book of the infected PC.
In some instances, the worm sends a malformed executable copy (i.e. containing an incorrect executable header) that could be considered harmless and can simply be treated as SPAM e-mail.
The mass-mailing worm is already moving quickly across the Internet, installing multiple codes on victims’ computers and then protecting them with rootkit said SonicWALL in a statement.
Users of SonicWALL’s Unified Threat Management technology have already received updated signatures which are designed to repel the Nuwar worm. On December 30th the vendor issued the following signatures designed to protect user against the threat:
Gateway Anti-Virus Signatures:
Nuwar.B (Worm)
Nuwar.C (Worm)
Intrusion Prevention Signatures:
VIRUS Greeting Card.exe attachments 1 (SID: 1051)
VIRUS Greeting Card.exe attachments 2 (SID: 1052)
VIRUS Greeting Card.zip attachments 1 (SID: 1053)
VIRUS Greeting Card.zip attachments 2 (SID: 1054)