Threat behavior
When Worm:Win32/Nuwar.IR is first launched, it attempts to do the following:
Drops file "sporder.dll" under directory <system folder>
Drops file "rsvp32_2.dll" under directory <system folder>
Modifies the following registry entries to register itself as a Licensed Service Provider (LSP):
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000001
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000002
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000003
Set "PackedCatalogItem" = "%ytmot\ytm2rvs.l", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000004
Set "PackedCatalogItem" = "%ytmot\ytm2rvs.l", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000005
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000006
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000007
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000008
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000009
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000010
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000011
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000012
Set "PackedCatalogItem" = "%ytmot\ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000013
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000014
Set "Num_Catalog_Entries" = "14", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000015
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000016
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000017
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000018
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000019
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000020
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000021
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000022
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000023
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000024
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000025
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000026
Set "PackedCatalogItem" = "rv3_.l.ytm2mwokdl0..00", under key HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\WinSock2\Parameters\Protocol_Catalog9\Catalog_Entries\000000000027
Prevention
