Follow:

 

Spammer:Win32/Nuwar


Spammer:Win32/Nuwar is a component of the Win32/Nuwar Trojan family, and is used to relay e-mails. E-mail messages are sent in various formats, commonly containing a hyperlink to a remote Web site hosting Win32/Nuwar Trojan files.


What to do now

Spammer:Win32/Nuwar may download and install additional malicious software, thus manual removal is not recommended. To detect and remove this Trojan and other malicious software that may have been installed, run a full-system scan with an up-to-date antivirus product such as the Microsoft Safety Scanner (http://go.microsoft.com/fwlink/?LinkId=212742). For more information, visit http://www.microsoft.com/athome/security/downloads/default.mspx.

Threat behavior

Spammer:Win32/Nuwar is a component of the Win32/Nuwar Trojan family, and is used to relay e-mails. E-mail messages are sent in various formats, commonly containing a hyperlink to a remote Web site hosting Win32/Nuwar Trojan files.
 
Spammer:Win32/Nuwar is commonly installed in one of these locations:
%WinDir%\spooldr.exe
<system folder>\taskdir.exe
 
Additional components of Spammer:Win32/Nuwar may exist as any of these files:
<system folder>\adir.dll
<system folder>\taskdir.dll
<system folder>\zlbw.dll (Clean file used for decompression)
 
Upon installation, Spammer:Win32/Nuwar contacts remote Web sites to receive compressed e-mail configuration information, which includes email body content and recipients. The information is then decompressed, interpreted and the infected machine becomes a spam relay.
 
Later variants drop a kernel-mode driver <system folder>\spooldr.sys, which is used to protect the spammer component from removal and to disable common firewalls.
 
The kernel-mode driver attempts to prevent any executable image with the following substrings from executing:
<system folder>\vsdatant.sys
<system folder>\drivers\bcfilter.sys
<system folder>\drivers\bcftdi.sys
<system folder>\drivers\bc_hassh_f.sys
<system folder>\drivers\bc_ip_f.sys
<system folder>\drivers\bc_ngn.sys
<system folder>\drivers\bc_pat_f.sys
<system folder>\drivers\bc_prt_f.sys
<system folder>\drivers\bc_tdi_f.sys
%ProgramFiles%\zone labs\zonealarm\zclient.exe
%ProgramFiles%\agnitum\outpost firewall\kernel\filtnt.sys
%ProgramFiles%\agnitum\outpost firewall\kernel\sandbox.sys
%ProgramFiles%\mcafee.com\personal firewall\data\drv\mpfirewall.sys
 
The kernel-mode driver terminates the following processes:
zlclient.exe
outpost.exe
 
The kernel-mode driver hides files and folders beginning with "spooldr" by hooking the ZwQueryDirectoryFile API, as well as denying access to tcpip.sys, by hooking ZwCreateFile.
 
Additional Information
Related Malware

Symptoms

Spammer:Win32/Nuwar uses advanced stealth techniques in order to hide its files and associated registry modifications. Hence, it is unlikely that users could easily ascertain the presence of the Trojan on the infected computer.

Prevention


Alert level: Severe
First detected by definition: 1.45.287.0
Latest detected by definition: 1.45.287.0 and higher
First detected on: Oct 07, 2008
This entry was first published on: Sep 08, 2007
This entry was updated on: Apr 03, 2014

This threat is also detected as:
  • Win32/Sinray.G (CA)
  • Spammer:Win32/Sinteri.gen!B (Microsoft)