In the last hours we have received several mails containing the worm Nurech.Z. In order to avoid being detected, this worm comes in a .zip file attached to the email. In addition, a password is needed to open that .zip, which makes its detection by the email filter even more complicated. Instead of being given in the body of the message, this password is included in a .gif file. However, it is not a very new technique as multiple variants of the Bagle have been using it for a long time.
The subject of the email is varied, but it usually warns of the presence of malware in our PC. Some examples are:
The worm is proactively detected by TruPreventâ„¢ Technologies. This is the image that appears in the .gif file:
The worm drops a couple of rootkits that will try to complicate our lives. The first one searches e-mail addresses in the computer, creates the image .GIF and, in addition, allows spam to be sent. The second hides the worm to make its detection more difficult.