NUWAR is at it again. It has tweaked its technique one more time.
Last week, WORM_NUWAR.AOP was found arriving as a file contained in a password-protected ZIP archive, an attempt to evade file scanning. The password to the archive is in an image used as message body, an attempt to evade anti-spam technology. While NUWAR is known for its distinct social engineering schemes — either by using sensational email messages about war or love, or by using incredibly timely email details — WORM_NUWAR.AOP had an interesting scheme itself. It used email messages posing as a notification from an antivirus company. “Worm Detected!” the email message declared.
Apart from the specific detection for the file within the archive, Trend Micro also detects the malicious password-protected ZIP file as WORM_NUWAR.ZIP.
Now, a new NUWAR variant is making its rounds contained in a password-protected RAR archive. Detected by Trend Micro as WORM_NUWAR.AOS, the worm was spammed using email messages that continue what WORM_NUWAR.AOP started, albeit with a wider scope: the email messages now also declare “Virus Detected!” and “Spyware Detected”, among others. As with WORM_NUWAR.AOP, the message body is an image file. Trend Micro detects the malicious password-protected RAR archive as WORM_NUWAR.RAR. WORM_NUWAR.AOS, however, was clearly spammed, because it has a propagation routine of its own using email messages that NUWAR has been associated with — messages of love. “For You….My Love”, “I Love Thee”. Like several of its predecessors, on execution WORM_NUWAR.AOS drops NUWAR’s partner-in-crime, TROJ_SMALL.EDW, known for creating P2P-based connection between all affected computers, forming a link that ultimately assists NUWAR in its own pump-and-dump spam attack.
With the release of WORM_NUWAR.AOS, it doesn’t look like NUWAR is letting up any time soon. In just a few months, it has shown an interesting pattern of social engineering tactics. Its authors seem to be always watching out for events to exploit, or, when there is none, they come up with a new tactic altogether.
NUWAR is clearly a social engineering attack. Users are the primary target. Users should therefore be extra vigilant.
Source : Trend micro blog
Friday, November 2, 2007
ZIP then, RAR now. What’s next?
Subscribe to:
Post Comments (Atom)
1 comment:
In my house many computers and on general of them there is very important information in rar files and it was corrupted,and don't know what to do,but couple of hours after that I found in inet nice tool-recovery .rar,it helped me and I was glad,application has free status,it can likewise recover information from corrupted archives of the RAR format,tool works in the following way: first, it completely scans and analyzes the corrupted archive, extract all information it can extract from it, after that the final list of files and folders appears on the screen,supports all currently existing variants of the RAR compression format, files created with archiving software versions 1.x, 2.x, 3.x with different compression rates,restoring information from corrupted password-protected archives of the RAR format,recovering information from archives of the RAR format stored on corrupted media (floppy disks, CDs, DVDs, Zip drives, etc.),compatible with Windows 98, Windows Me, Windows NT 4.0, Windows 2000, Windows XP, Windows XP SP2, Windows 2003, Windows Vista.
Post a Comment