Backdoor:Win32/Nuwar.A is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values.
When executed, Backdoor:Win32/Nuwar.A peforms the following actions:
Creates a configuration file <system folder>\wincom32.ini which contains a list of peers to connect to initially (see 'Backdoor Functionality' section below for further detail).
Drops a kernel driver <system folder
>\wincom32.sys which is then installed, using the file name (minus the extension) as the display name (as in wincom32) - this driver is detected as Backdoor:Win32/Nuwar!sys
Creates a mutex named 'E8dK894Lm9#sF2i$sOBq2X', which it uses as a marker to prevent re-installation attempts if the driver is already running.
Injects a malicious payload into "services.exe". The consequence of this action will make any network activity appear to originate from services.exe.
Attempts to modify 'Windows Time' configuration settings.
Note: <system> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Advanced Stealth Features
The kernel mode driver, wincom32.sys, hides files, registry keys and registry values beginning with the string 'wincom32' by hooking the following functions:
The component that was injected into services.exe attempts to join a P2P network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to download and execute arbitrary files.
There are no common symptoms associated with this threat. Alert notifications from installed antivirus software may be the only symptom(s).