Spammer:Win32/Nuwar is a component of the Win32/Nuwar Trojan family, and is used to relay e-mails. E-mail messages are sent in various formats, commonly containing a hyperlink to a remote Web site hosting Win32/Nuwar Trojan files.
Spammer:Win32/Nuwar is commonly installed in one of these locations:
Additional components of Spammer:Win32/Nuwar may exist as any of these files:
<system folder>\zlbw.dll (Clean file used for decompression)
Upon installation, Spammer:Win32/Nuwar contacts remote Web sites to receive compressed e-mail configuration information, which includes email body content and recipients. The information is then decompressed, interpreted and the infected machine becomes a spam relay.
Later variants drop a kernel-mode driver <system folder>\spooldr.sys, which is used to protect the spammer component from removal and to disable common firewalls.
The kernel-mode driver attempts to prevent any executable image with the following substrings from executing:
The kernel-mode driver terminates the following processes:
The kernel-mode driver hides files and folders beginning with "spooldr" by hooking the ZwQueryDirectoryFile API, as well as denying access to tcpip.sys, by hooking ZwCreateFile.
Spammer:Win32/Nuwar uses advanced stealth techniques in order to hide its files and associated registry modifications. Hence, it is unlikely that users could easily ascertain the presence of the Trojan on the infected computer.