NUWAR is at it again. It has tweaked its technique one more time.

Last week, WORM_NUWAR.AOP was found arriving as a file contained in a password-protected ZIP archive, an attempt to evade file scanning. The password to the archive is in an image used as message body, an attempt to evade anti-spam technology. While NUWAR is known for its distinct social engineering schemes — either by using sensational email messages about war or love, or by using incredibly timely email details — WORM_NUWAR.AOP had an interesting scheme itself. It used email messages posing as a notification from an antivirus company. “Worm Detected!” the email message declared.

Apart from the specific detection for the file within the archive, Trend Micro also detects the malicious password-protected ZIP file as WORM_NUWAR.ZIP.

Now, a new NUWAR variant is making its rounds contained in a password-protected RAR archive. Detected by Trend Micro as WORM_NUWAR.AOS, the worm was spammed using email messages that continue what WORM_NUWAR.AOP started, albeit with a wider scope: the email messages now also declare “Virus Detected!” and “Spyware Detected”, among others. As with WORM_NUWAR.AOP, the message body is an image file. Trend Micro detects the malicious password-protected RAR archive as WORM_NUWAR.RAR. WORM_NUWAR.AOS, however, was clearly spammed, because it has a propagation routine of its own using email messages that NUWAR has been associated with — messages of love. “For You….My Love”, “I Love Thee”. Like several of its predecessors, on execution WORM_NUWAR.AOS drops NUWAR’s partner-in-crime, TROJ_SMALL.EDW, known for creating P2P-based connection between all affected computers, forming a link that ultimately assists NUWAR in its own pump-and-dump spam attack.

With the release of WORM_NUWAR.AOS, it doesn’t look like NUWAR is letting up any time soon. In just a few months, it has shown an interesting pattern of social engineering tactics. Its authors seem to be always watching out for events to exploit, or, when there is none, they come up with a new tactic altogether.

NUWAR is clearly a social engineering attack. Users are the primary target. Users should therefore be extra vigilant.

We’ve just spotted another “security website” that offers to aid users in getting rid of spyware plaguing their systems. In reality however, this website does nothing but trick the user into installing an adware application into their system.

Although the website doesn’t automatically download the rogue application, it does a fairly good job of tricking the user to download for themselves.
Similar to the numerous ZLOB-carrying codec websites that proliferated during 2006, this one plays on the unsuspecting user’s gullibility regarding security applications. Click on any of the download links and the file malwarealarmsetup.exe is downloaded on your system. When this file is executed, it displays the usual dialog boxes being used by the usual installation package for legitimate applications, even displaying the standard EULA text.

An appropriate solution for this threat is already underway and it is to be detected as ADW_SPYSHERIF.BG. As a word of caution, do not download or install anything that this website offers.

Yep it is, and it seems like the domain was created for the sole purpose of hosting malware.

A quick look on our malicious URL records shows 97725.com provides malicious downloads for malwares such as PE_LOOKED, TSPY_LEGMIR, TROJ_MULDROP, TSPY_QQPASS, TSPY_WOW, and the most recent Microsoft exploit that hit it big - EXPL_ANIGEN.

The said domain is hosted in China (not suprising) and most of the malwares that download or can be downloaded from 97725.com are all related to online game stealing.
One interesting anti - URL Blocking technique used by the malicious author/s is the use of subdomains. 123.97725.com, down.97725.com, and www.97725.com are the subdomains related to 97725.com discovered by Trend. As of writing, the domain 97725.com is being added to the URL Web Blocking list.

We advise network administrators and IT personnel to check for connection attempts to 97725.com as it could signify an infected computer in the network.

German users received today a new sample of the YABE threat. The spammed email is sent in the name of Cleverbridge as a confirmation order of “Avira AntiVir PersonalEdition Premium”.

This new threat takes advantage of some legitimate entities to leverage its propagation. Avira is a local antivirus vendor (former HB-EDV). Cleverbridge is the e-commerce provider for Aviras AntiVir software.The new threat arrives as a zip (archive 595169.zip) Contained within the zip archive is the file HBEDV.Key.exe (size 2560 bytes), which is supposed to contain the â??license keyâ?? for the product but is actually the malware file itself.

On execution the file HBEDV.Key.exe connects to the site souljah.com and downloads another Trojan. The downloaded trojan has a 10 digit file name (117.976 bytes) and is placed in root folder. This Trojan drops the file ipv6monl.dll into the %system32% directory. This file is the spyware component of this threat. Trend Micro products already detect this component as TSPY_BZUB.IH. Furthermore, other files that are also related to the threat have been sent to the proper channels so that an appropriate solution can be deployed.

A new Web Threat reportedly capitalizing on the recent Virginia Tech tragedy is spreading in the wild. Trend Micro detects this malware as TROJ_BANLOAD.CFU. It arrives as an attachment from a spammed email message. Once the recipient opens this attachment, the Trojan executes and directly connects to the Web page http://{BLOCKED}sting.pop.com.br/glx/vaca/index.jpg where the following image is then displayed:



This Trojan then proceeds to download two other malware detected as TROJ_GENERIC and information thief TSPY_BANKER.HHW from the following Web pages, respectively:

• http://85.10.{BLOCKED}.71/Carteiro/Z3r0_C0rp2.exe
  
• http://{BLOCKED}sting.pop.com.br/glx/vaca/FANIVIDEOS_BBB7.scr

In addition, it terminates a number of processes mostly related to security applications to make its detection on the affected system more difficult. Users are advised to be cautious in opening forwarded email or messages from untrusted sources that pertain to the Virginia Tech shooting incident.