Spammer:Win32/Nuwar is a component of the Win32/Nuwar Trojan family, and is used to relay e-mails. E-mail messages are sent in various formats, commonly containing a hyperlink to a remote Web site hosting Win32/Nuwar Trojan files.
Spammer:Win32/Nuwar is commonly installed in one of these locations:
Additional components of Spammer:Win32/Nuwar may exist as any of these files:
<system folder>\zlbw.dll (Clean file used for decompression)
Upon installation, Spammer:Win32/Nuwar contacts remote Web sites to receive compressed e-mail configuration information, which includes email body content and recipients. The information is then decompressed, interpreted and the infected machine becomes a spam relay.
Later variants drop a kernel-mode driver <system folder>\spooldr.sys, which is used to protect the spammer component from removal and to disable common firewalls.
The kernel-mode driver attempts to prevent any executable image with the following substrings from executing:
The kernel-mode driver terminates the following processes:
The kernel-mode driver hides files and folders beginning with "spooldr" by hooking the ZwQueryDirectoryFile API, as well as denying access to tcpip.sys, by hooking ZwCreateFile.