Threat behavior
Backdoor:Win32/Nuwar.gen!C is Microsoft's detection to a trojan that allows unauthorized access to an infected computer. The trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network.
Please note that there are variants of this trojan circulating in the wild, and that while functionally is identical, they may contain small differences with regards to file names used, events created, etc. As such, we have listed two variations for each behavior listed below.
When executed, Backdoor:Win32/Nuwar.gen!C performs the following actions.
Drops itself as '%windir%\kavir.exe' modifies the registry to execute its copy at each Windows start:
Adds value: kavir
With data: "%windir%\kavir.exe"
To subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Creates a configuration file as '<system>\nivavir.config' that contains a list of peers to connect to initially (see Backdoor Functionality section below for further detail).
This file is detected as Backdoor:Win32/Nuwar.B!ini
- Adds itself to the allowed or authorized application list stored in the registry for Windows firewall, using the Windows utility NETSH.EXE, as in this command instruction:
netsh firewall set allowed program "%windir%\kavir.exe enable Attempts to modify 'Windows Time' configuration settings.
Note: <system> refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; and for XP and Vista is C:\Windows\System32.
Backdoor Functionality
This trojan attempts to join a malicious peer-to-peer network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to perform several actions including:
gather e-mail addresses from files with the following file extensions on all fixed drives on the infected computer:
.lst
.dat
.jsp
.dhtm
.mht
.cgi
.uin
.oft
.xls
.sht
.tbb
.adb
.wsh
.pl
.php
.asp
.cfg
.ods
.mmf
.nch
.eml
.mdx
.mbx
.dbx
.xml
.stm
.shtm
.htm
.msg
.txt
.wab
The trojan avoids addresses that contain the following substrings:
postmaster@
root@
local
noreply
@avp.
pgp
spam
cafee
panda
abuse
samples
winrar
google
winzip
@messagelab
free-av
@iana
@foo
sopho
certific
listserv
linux
bsd
unix
ntivi
support
icrosoft
admin
kasp
noone@
nobody@
info@
help@
gold-certs@
feste
contract@
bugs@
anyone@
update
news
f-secur
rating@
@microsoft
Perform Denial of Service (DoS) attacks.
Compose and send e-mail to addresses that may be supplied via the peer-to-peer network. This function can be used to send spam or to distribute additional malicious threats.
Analysis by Jireh Sanico
Prevention
