A WORM_NUWAR variant is on CNN or rather CNN is on a new WORM_NUWAR variant. Using the Cable News Network (CNN) for its “click-me” gimmick, WORM_NUWAR.JO has the following message details in its latest spew of spam:
Subject:(any of the following)
- White house news!
- Incredible news!
- URGENT NEWS!
Message body:(any of the following)
- Full news included in attached file
- Open file to get complete news.
- Read more in attached file…
Attachment:(any of the following)
- CNN latest news.exe
- CNN news reader.exe
- WWW-CNN-COM.exe
- cnn agent.exe
- cnn site explorer.exe
- cnn.exe
- news agent.exe
- news reader.exe
- webnews agent.exe
- read me.exe
It may be using a different flavored spam but the meat of it is still same; it drops a Trojan, in this case TROJ_SMALL.DUL, into its infected computers. As with other NUWARs, this dropped Trojan downloads other malware components that reveals the true ingenuity of WORM_NUWAR’s attack. Read this article for an in-depth telling of NUWAR’s routines.