Today, our email honeypot captured samples containing subjects about missile strike of US killing Iranians and Iran starting World War III. There’s nothing found in the body of the email message though, just an executable attachment. This is related to a post in SANS diary, “exe malware spammed under “Missile War” subjects”. For now, we have ten samples with different md5 hashes.

Attachment Name	: Click Me.exe : ClickHere.exe : News.exe : Movie.exe : Click Here.exe : ReadMe.exe : News.exe : ReadMore.exe
Subject used	: Missle Strike: The USA kills more then 20000 Iranian citizens : Iran Just Have Started World War III : Israel Just Have Started World War III : Missle Strike: The USA kills more then 10000 Iranian citizens : USA Just Have Started World War III
File MD5′s	: F51C8A2C5CE9230F917A715A10AD7762 : 226CA4F28060147ABC48D57F98E2DCF1 : 4CFF704FE62BD02A52C3CC79D2919BD : 089A8A5D95Feb58723B38Da8Ef0Bc344 : 044C425E423Ae5D2E41Fd986026C4671 : A2184A15862B79Fd53Db5A0C9Bae4979 : B771592Df96Ebe68E77405Ee8345005E : 96B736E03Af1962115E392319F745B7F : 2206F27627C600B4Bdfae5Ab21F813Ed : F00D6F7A7C7B437A50De3Cb7C44862D9
File Size	: 51,342 Bytes

The samples are being handled by the Service Team so watchout for updates. For the meantime, System Administrators may want to block emails with an attachment similar to the one’s mentioned earlier. Update: This malware will be detected as WORM_NUWAR.AOK.