In an investigation conducted by TMIRT regarding WORM_NUWAR.BQ – the worm responsible for mailing copies of itself with e-mail details pertaining to a Nuclear War or President Bush is dead – we discovered that this malware is also made as a seeding point to create a spam zombie out of infected machines.
Aside from its mass-mailing capabilities, this worm also connects and downloads four files from 220.127.116.11. The downloaded files are component files used to download other files and updates, gather e-mail addresses, add the worm malware into RAR archives, act as a Trojan proxy, and an updated copy of the worm.
The most interesting part of the downloaded files are the component files that gather e-mail addresses and the Trojan proxy.
The component that gathers e-mail addresses not only gathers the addresses from files that are most possible to contains them (WAB, MSG, etc), but also sends the gathered addresses to 18.104.22.168! Now we’re talking about malwares harvesting valid e-mail addresses!
The Trojan proxy component on the other hand acts as an SMTP relay server, and guess what? This component is responsible for turning the infected machine into a spam zombie! Leaving port 25 open for incoming connections, we suddenly found our test system flooding with activity and sending out pump and dump spam as seen below!
Ever wondered who sends out those nasty spam? Well, your officemate, cousin, brother, or sister may be doing it for the spammers – for free!
*TrendLabs is conducting a more thorough investigation for this malware incident. A complete report will be posted online by our threat reporters.