Here is a new style from NUWAR, a.k.a. Storm. NUWAR is sending spam as usual but this time with slightly different content. As can be seen here, it is claiming to link to a free video starring Liv Tyler (see highlighted text).
Figure 1. Spam mail enticing users to click on the link to watch a video.
Once a user clicks the link on the message, the user will end up here:
Figure 2. Instead of Liv Tyler, the user gets a blue Web page and a certain “security error.”
The said “security errors” suggest that the PC has been infected by spyware. If the user succumbs to the ploy and clicks on OK, he/she is prompted to download INSTALL_EN.EXE, which is detected by Trend Micro as WORM_NUWAR.AL.
WORM_NUWAR.AL then drops other malicious files that Trend Micro detects as WORM_NUWAR.AE and WORM_NUWAR.AN. Unlike the modus operandi of cyber criminals using typical rogue anti-spyware, this attack takes a somewhat different route: the downloaded file is not a fake anti-spyware program, instead it is a malware itself.
Our honeypots have caught similar NUWAR spam that contain different subject headings or content, one of which is found below:
Figure 3.Spam found to exhibit the same attack algorithm.
Interestingly, a Google search for “Best AntiSpyware Solution” reveals several sites that appear to have been compromised to host files that show the same fake errors. These pages also lead users to the download of malicious files. Users should update their anti-spam and anti-malware programs to filter out spam and detect the NUWAR variants. Trend Micro Smart Protection Network is able to block this attack at various points of the infection chain.