Apr26
11:04 am (UTC-7)   |   by Eric Avena (Technical Communications)

NUWAR is at it again. It has tweaked its technique one more time.

Last week, WORM_NUWAR.AOP was found arriving as a file contained in a password-protected ZIP archive, an attempt to evade file scanning. The password to the archive is in an image used as message body, an attempt to evade anti-spam technology. While NUWAR is known for its distinct social engineering schemes — either by using sensational email messages about war or love, or by using incredibly timely email details — WORM_NUWAR.AOP had an interesting scheme itself. It used email messages posing as a notification from an antivirus company. “Worm Detected!” the email message declared.

Apart from the specific detection for the file within the archive, Trend Micro also detects the malicious password-protected ZIP file as WORM_NUWAR.ZIP.

Now, a new NUWAR variant is making its rounds contained in a password-protected RAR archive. Detected by Trend Micro as WORM_NUWAR.AOS, the worm was spammed using email messages that continue what WORM_NUWAR.AOP started, albeit with a wider scope: the email messages now also declare “Virus Detected!” and “Spyware Detected”, among others. As with WORM_NUWAR.AOP, the message body is an image file. Trend Micro detects the malicious password-protected RAR archive as WORM_NUWAR.RAR. WORM_NUWAR.AOS, however, was clearly spammed, because it has a propagation routine of its own using email messages that NUWAR has been associated with — messages of love. “For You….My Love”, “I Love Thee”. Like several of its predecessors, on execution WORM_NUWAR.AOS drops NUWAR’s partner-in-crime, TROJ_SMALL.EDW, known for creating P2P-based connection between all affected computers, forming a link that ultimately assists NUWAR in its own pump-and-dump spam attack.

With the release of WORM_NUWAR.AOS, it doesn’t look like NUWAR is letting up any time soon. In just a few months, it has shown an interesting pattern of social engineering tactics. Its authors seem to be always watching out for events to exploit, or, when there is none, they come up with a new tactic altogether.

NUWAR is clearly a social engineering attack. Users are the primary target. Users should therefore be extra vigilant.

If you're new here, you may want to subscribe to our RSS feed. Thanks for visiting!



This entry was posted on Thursday, April 26th, 2007 at 11:04 am and is filed under Uncategorized . Responses are closed, but you can trackback from your own site.



3 Responses to “ZIP then, RAR now. What’s next?”

Trackbacks

  1. engineering » Blog Archive » Humanity Under Attack: The Tactics Of Social Engineering
  2. engineering » Blog Archive » Howard Hampton on the science of social engineering
  3. engineering » Blog Archive » Trading Credits

WORM_SOBER Far From Sobering Up
Fake Security Website Downloads Rogue Application


 
TrendWatch Hijack This Web Protection Add-On
Free Online Virus Scan Rootkit Buster Submit Suspicious Files
Global Malware Map RUBotted? Trend Micro
 



    		 
© Copyright 2009 Trend Micro Inc. All rights reserved. Legal Notice