Yes, WORM_NUWAR’s at it again and this time around it is using image spam tactics. Spammed messages related to this variant, detected by Trend Micro as WORM_NUWAR.EN, have message bodies in GIF format. The number of image spam dramatically rose late last year when spammers realized how effective using images can be in evading email content filters. WORM_NUWAR.EN may be capitalizing on this effectivity to expand its already versatile spamming repertoire.
Another thing notable for this paticular Nuwar is its availability on several IP addresses, most of which are .HK (Hong Kong) domains. Usual file name of the executable is ECARD.EXE. Its cherry topping, however, is a rootkit capability that enables it to hide its network activities.
Where as WORM_NUWARs, in general, usually bank on their social engineering skills to carry out effective attacks, this latest iteration saw to taking Nuwar’s technical chops to another level. Yes, WORM_NUWAR is indeed at it again and it’s hitting on different areas that’re still sure to hurt.