Threat behavior
Backdoor:Win32/Nuwar.gen!B is a trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values.
Please note that there are variants of this trojan circulating in the wild, and that while functionally is identical, they may contain small differences with regards to file names used, events created, etc. As such, we have listed two variations for each behavior listed below.
When executed, Backdoor:Win32/Nuwar.B performs the following actions.
Creates a configuration file as <system>\burito.ini that contains a list of peers to connect to initially (see Backdoor Functionality section below for further detail).
This file is detected as Backdoor:Win32/Nuwar.B!ini
Drops a kernel-mode driver as <system>\buritoxxxx-xxxx.sys (where xxxx describes a four character alphanumeric string of randomly generated content - for example "C:\WINDOWS\System32\burito42a7-127d.sys"). The driver is then installed, using the file name as the display name.
This file is detected as Backdoor:WinNT/Nuwar.B!sys
Creates a mutex named either "uri40333444" or "hlkjlkjlklk34d", which the trojan uses as a marker to prevent re-installation attempts if the driver is already running.
Injects a malicious payload into the running process "services.exe". The consequence of this action will make any network activity appear to originate from services.exe.
Attempts to modify 'Windows Time' configuration settings.
Note: <system> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Advanced Stealth Features
The driver, hides files, registry keys and registry values beginning with the strings "burito" by hooking the following functions:
NtEnumerateKey
NtEnumerateValueKey
NtQueryDirectoryFile
Backdoor Functionality
The component that was injected into services.exe attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
gather e-mail addresses from files with the following file extensions on all fixed drives on the infected computer:
.lst
.dat
.jsp
.dhtm
.mht
.cgi
.uin
.oft
.xls
.sht
.tbb
.adb
.wsh
.pl
.php
.asp
.cfg
.ods
.mmf
.nch
.eml
.mdx
.mbx
.dbx
.xml
.stm
.shtm
.htm
.msg
.txt
.wab
The trojan avoids addresses that contain the following substrings:
postmaster@
root@
local
noreply
@avp.
pgp
spam
cafee
panda
abuse
samples
winrar
google
winzip
@messagelab
free-av
@iana
@foo
sopho
certific
listserv
linux
bsd
unix
ntivi
support
icrosoft
admin
kasp
noone@
nobody@
info@
help@
gold-certs@
feste
contract@
bugs@
anyone@
update
news
f-secur
rating@
@microsoft
Perform Denial of Service (DoS) attacks.
Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
Download and execute arbitrary files, including files that self-update.
Related Malware
Analysis by Marian Radu
Prevention
