Sep6
3:38 am (UTC-7)   |   by Mayee Corpin (Technical Communications)

A new wave of NUWAR is worming its way into inboxes with thousands of emails being sent. The worm acts in two waves. Firstly, it is sending out a wave of emails similar to the one below, purporting to offer downloads of the Tor Anonymous Proxy. Spam.JPG If the user follows the link in the email, they will not be taken to the official site for the legitimate Tor application, but instead be redirected to a fake site that displays the following: Tor.jpg Once the user clicks the â??Download Torâ?? button, they are given a NUWAR variant that is proactively detected as POSSIBLE_NUCRP-4, and which has the file name TOR.EXE. As with previous examples of this threat, the Web site also contains multiple exploits to attempt to download this file automatically. This is just the latest in a long line of NUWAR creators’ social engineering ploys, which has seen them try everything from eCards, to BETA testing software and even YouTube videos.

Update: TrendLabs detects the said .EXE file as WORM_NUWAR.AQL with the latest pattern file.

This information was provided by Robert MacArdle from the European TrendLabs

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, September 6th, 2007 at 3:38 am and is filed under Security . Responses are closed, but you can trackback from your own site.



One Response to “NUWAR Poses as Tor Proxy”

Trackbacks

  1. Light Blue Touchpaper » Analysis of the Storm Javascript exploits

What’s Up, .DOC?
Trend Micro Web site – Phished!


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice