NUWAR has spawned yet another variant last Labor Day when email messages purporting to be eCards related to the said holiday circulated. TrendLabs has received samples that have such subjects as “A Labor Day E-Card” or “The Big Labor Day Weekend.”

The tactic is still the same: a link to the supposed eCard is given, and unsuspecting users who click on the link are redirected to a Web page that displays the following image:

Once the image is clicked, a NUWAR variant detected as WORM_NUWAR.AQK is downloaded onto affected machines. Adding insult to injury is TROJ_TIBS.ANF, which, upon accessing the said page, is downloaded automatically via certain browser vulnerabilities. Both malware are already detected by Trend Micro with the latest pattern file.

It’s interesting to note that after recent makeovers, the NUWAR/ZHELATIN/Storm family has undergone in the past weeks — from BETA testing software to YouTube — it went back to sending eCard greetings. Then again, given the “success” of the 4th of July greetings a couple of months ago, it looks like it’s banking on the idea that holidays and celebrations in general are tantamount to lax security and increased user gullibility. Which is, admittedly, usally the case…

Data and initial analysis provided by Robert McArdle of TrendLabs EMEA