You're in: Panda Security > Home Users > security-info > about-malware > encyclopedia > overview
Active Scan. Scan your PC free
Panda Security Product Line 2012

Virus Encyclopedia

Welcome to the Virus Encyclopedia of Panda Security.

Encyclopedia GetVirusCard

Nuwar.A

 
Threat LevelHigh threatDamageSevereDistributionNot widespread

Effects 

Nuwar.A carries out the following actions:

  • It ends the processes that contain any of the following text strings, if they are active:
    blackice
    firewall
    f-pro
    Hijack
    lockdown
    Mcafee
    msconfig
    nod32
    reged
    Registry Editor
    spybot
    troja
    vsmon
    zonea
    These processes belong to several security tools, such as antivirus programs and firewalls, among others.
  • It drops a file into the affected computer that is used to update and configure Nuwar.A.

Infection strategy 

Nuwar.A creates the following files, which are copies of itself:

  • WSERVICE.EXE in the Windows system directory.
  • It copies itself to all the directories of the hard drive.

 

Nuwar.A creates the following entries in the Windows Registry:

  • HKEY_CURRENT_USER\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ Run
    UpdateService =     %sysdir%\wservice.exe
    where %sysdir% is the Windows system directory.
  • HKEY_LOCAL_MACHINE\ SOFTWARE\ Microsoft\ Windows\ CurrentVersion\ RunServices
    UpdateService =     %sysdir%\wservice.exe
    By creating these entries, Nuwar.A ensures that it is run whenever Windows is started.

 

Nuwar.A modifies the value in the entry Start of the following path of the Windows Registry:

  • HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
    resulting in:
    HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Services\ SharedAccess
    Start = 4
    By modifying this entry, Nuwar.A disables the Internet Connection Firewall (ICF) and the Internet Connection Sharing (ICS) included in Windows XP.

Means of transmission 

Nuwar.A spreads via email. In order to do so, it follows the routine below:

  • It reaches the computer in an email message with the following characteristics:

    Sender: one of the following:
    abierman@cisco.com, admin@rarbrazil.com, agentx@dorothy.bmc.com, arrowcomp@xtra.co.nz, bwijnen@lucent.com, case@snmp.com, coders@lists., daniele@zk3.dec.com, dbh@enterasys.com, dev@ethereal.com, dev@ethereal.com., dhaskin@baynetworks.com, disman@dorothy.bmc.com, dlevi@nortelnetworks.com, dthaler@dthaler.microsoft.com, ellison@world.std.com, estan@net.utcluj.ro, fred@cisco.com, freed@innosoft.com, help@winzip.com, hostmib@andrew.cmu.edu., hreissl@compuserve.com, hsseo@buysoft.co.kr, hubmib@hprnd.rose.hp.com, iana@iana.org, info@avir.sk, info@italsel.com, info@rarsoft.be, info@winrar-rog.com, infoservice@microsoft.at, inftec@colomsat.net.co, jeff@redbacknetworks.com, jimaz@jimaz.cz, johnf@rose.hp.com, kzm@cisco.com, lheintz@cisco.com, licensing@sysinternals.com, line@microsoft.hr, mark@sysinternals.com, mcafeapc@col3.telecom.com.co, mcopray@compuserve.com, meyer@securecomputing.com, mibs@ops.ietf.org, mscarsup@microsoft.com, msccatus@microsoft.com, mssupport@nets.net.pk, mswsgulf@microsoft.com, mundy@tislabs.com, naradamoon@operamail.com, neox@pisem.net, password@server links., pnpwin95@supra.com, presuhn@bmc.com, provision@pro.ro, ramk@cisco.com, rar@ols.es, regsite@skulski.com, rfrye@cosinecom.com, rkinput@microsoft.com, robbykang@jsresource.com, rod@st.net.au, rom@innocent.com, rpresuhn@bmc.com, sales@defsol.se, sales@keszo.com, sales@panda.co.jp, sales@rarreg.com, sales@tfmik.ru, sam@rarsoft.com.tw, sar@epilogue.com, schoenw@ibr.cs.tu, sgudur@hotmail.com, sitesales@winzip.com, sitesales@winzip.com., snmpv3@lists.tislabs.com, sonishi@baynetworks.com, support@atitech.ca, support@rararchiver.com, support@stb.com, support@tamos.com, support@winzip.de., techsupport@matrox.com, techsupport@tridmicr.com, ts@polynet.lviv.ua, users@ethereal.com, ventes@adc-soft.com, vjohnie@debian.org, vmlich@mbox.vol.cz, waldbusser@ins.com, waldbusser@lucent.com, webmaster@acon.com.au, winrar@rog.de.

    Subject: one of the following:
    ATTN
    ATTN TO EVERYBODY!
    Incredible news!
    NEWS
    READ AND RESEND ASAP
    URG
    URGENT NEWS
    White house news!

    Message: one of the following:
    Message 1
    3rd Glogal War Just Started!!! Read more in file!

    Message 2
    GLOBAL NUCLEAR WAR JUST STARTED! News in file.

    Message 3
    Nuclear War in Russia! Read news in file!

    Message 4
    Nuclear WAR in USA! Read attached file!

    Message 5
    President Bush DEAD! Read attached file!

    Message 6
    President Putin dead! Read more in attached file!

    Message 7
    Putin and Bush starts NUCLEAR WAR! Check the file!

    Attachments: one of the following:
    A.EXE
    ABOUT ME.EXE
    LAST.EXE
    LATEST NEWS.EXE
    NEVER.EXE
    OPEN.EXE
    READ ME.EXE
    TRUTH.EXE
    WAR.EXE
  • The computer is affected when the attached file is run.
  • Nuwar.A searches for email addresses on the affected computer.
  • The worm also generates email addresses by adding to the mail domain of each address it has found names from the following list: Aldora, Alysia, Amorita, Anita, April, Aretina, Barbra, Becky, Bella, Bettina, Blenda, Briana, Bridget, Caitlin, Camille, Carla, Carmen, Chelsea, Clarissa, Damita, Danielle, Daria, Diana, Donna, Doris, Ebony, Eliza, Emily, Erika, Evelyn, Faith, Gilda, Gloria, Haley, Helga, Holly, Idona, Isabel, Ivana, Ivory, Janet, Jewel, Joanna, Julie, Juliet, Kacey, Kassia, Katrina, Laura, Linda, Lolita, Melody, Nadia, Naomi, Natalie, Nicole, Olivia, Pamela, Peggy, Queen, Rachel, Sharon, Silver, Valda, Valora, Vanessa, Vicky, Violet, Vivian, Wendy, Willa, Xandra, Xenia, Xylia, Zenia, Zilya.
  • Nuwar.A sends itself out to the addresses it has gathered and the addresses it has generated.

Further Details  

Nuwar.A is 15,947 bytes in size.

Nuwar.A creates a mutex called Kusyyyy, in order to ensure that only a copy of the worm is active at any moment.