There has been a lot of WORM_NUWAR movement this week. The controversial “storm malware”, TROJ_SMALL.EDW of P2P botnet fame was found to be an accomplice of the NUWAR network; dropped as it is by a variant detected by Trend Micro as WORM_NUWAR.CQ.
The weekend is upon us and yet another NUWAR makes it to the Trend Micro noteworthy list. Detected as WORM_NUWAR.EE, its spammed email carries belated New Year cheer and the usual Trojan hitchhiker (TROJ_TIBS.PE). Like the earlier variant, WORM_NUWAR.EE also uses the file name POSTCARD.EXEfor its attachment. What is surprising for this new variant is its total lack of originality. WORM_NUWAR’s spammed messages have always used convincing social engineering tactics like the CNN ploy and, of course, the recent Storm email. WORM_NUWAR.EE, however, is just rehashing the “New Year” subject line and an old attachment file name. Based on this, it can be surmised that NUWAR’s code may have been made publicly available and somebody is trying it on for size.
As always, users are highly advised not to open attachments from suspicious email messages. The best protection is still caution and vigilance.