NUWAR Poses as Tor Proxy

September 6th, 2007 by Mayee Corpin (Technical Communications)

A new wave of NUWAR is worming its way into inboxes with thousands of emails being sent. The worm acts in two waves. Firstly, it is sending out a wave of emails similar to the one below, purporting to offer downloads of the Tor Anonymous Proxy. Spam.JPG If the user follows the link in the email, they will not be taken to the official site for the legitimate Tor application, but instead be redirected to a fake site that displays the following: Tor.jpg Once the user clicks the â??Download Torâ?? button, they are given a NUWAR variant that is proactively detected as POSSIBLE_NUCRP-4, and which has the file name TOR.EXE. As with previous examples of this threat, the Web site also contains multiple exploits to attempt to download this file automatically. This is just the latest in a long line of NUWAR creators’ social engineering ploys, which has seen them try everything from eCards, to BETA testing software and even YouTube videos.

Update: TrendLabs detects the said .EXE file as WORM_NUWAR.AQL with the latest pattern file.

This information was provided by Robert MacArdle from the European TrendLabs

Print Posts
1 Star2 Stars3 Stars4 Stars5 Stars (No Ratings Yet)
Loading ... Loading ...

Trackback

TrackBack URL for this entry:
http://blog.trendmicro.com/nuwar-poses-as-tor-proxy/trackback/

Listed below are links to weblogs that reference NUWAR Poses as Tor Proxy:

  • Light Blue Touchpaper &ra&hellip  |  Tracked on September 8th, 2007 at 3:26 am

    [...] has been tedious, it could be considered a milestone in Tor’s progress. It has also generated some publicity on a few blogs. Tor has long promoted procedures for verifying the authenticity of [...]


Subscribe in a reader

Most Recent Posts

Most Popular Posts

Links

Blogroll


Scan for free!