Happy New Year Worm

Original issue date: December 30, 2006

It has been observed that a worm variant of NUWAR family called WORM_NUWAR.AY (Trend micro) aliases Luder.A (Fsecure), W32/Dref-U (Sophos) is spreading in the wild.

It is a mass mailing worm which uses its own SMTP engine. It contains the string “HAPPY NEW YEAR” in the subject line of the mails. Mails generated by worm contain the copy of the worm in the attachment with the name postcard.exe and does not contain any message in the message body.

This worm collects the email addresses to send email from Windows Address Book (WAB). It terminates processes related to antivirus and security applications and also disables Internet Connection Sharing (ICS) and Windows Firewall.

The worm also drops other malware to the infected system.

Activities of the worm after execution are:

•  Drops copy of itself in the Windows folder with the name PPL.EXE and also the following files in the same folder:

google.png.exe
se.exe
winsub.xml
zlbw.dll
some of the above said files have detected as other malware threats.

•  Creates following registry entry to ensure its automatic execution at every system startup:

HKEY_CURRENT_USER\Software\Microsoft\Windows\
CurrentVersion\Run
agent = "%System%\ppl.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
CurrentVersion\Run
agent = "%System%\ppl.exe"

•  modifies the value of the following registry entry, which pertains to Internet Connnection Service (ICS) and Windows Firewall services:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\
Services\SharedAccess
Start = "3"

•  Gathers email addresses from Windows Address Book (WAB) and uses any of the following common names followed by a spoofed domain name:

Aldora, Alysia, Amorita, Anita, April, Aretina, Barbra, Becky, Bella, Bettina, Blenda, Briana, Bridget, Caitlin, Camille, Carla, Carmen, Chelsea, Clarissa, Damita, Danielle, Daria, Diana, Donna, Doris, Ebony, Eliza, Emily, Erika, Evelyn, Faith, Gilda, Gloria, Haley, Helga, Holly, Idona, Isabel, Ivana, Ivory, Janet, Jewel, Joanna, Julie, Juliet, Kacey, Kassia, Katrina, Laura, Linda, Lolita, Melody, Nadia, Naomi, Natalie, Nicole, Olivia, Pamela, Peggy, Queen, Rachel, Sharon, Silver, Valda, Valora, Vanessa, Vicky, Violet, Vivian, Wendy, Willa, Xandra, Xenia, Xylia, Zenia, Zilya.

•  Terminates processes related to antivirus, security applications.

In view of rapid propagation of the worm variants, users are advised to implement following countermeasures:

• Install and maintain a updated anti-virus software at gateway and desktop level
• Filter emails with abovementioned subject lines and attachments at the gateway
• Keep up-to-date on patches and fixes on the operating system and application software
• Exercise caution while opening email attachments

References:

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName= WORM%5FNUWAR%2EAY&VSect=T
http://www.f-secure.com/v-descs/luder_a.shtml#details http://www.sophos.com/security/analyses/w32drefu.html

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Phone: +91-11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003