"Happy new year" worm meets vendor resistance

SonicWALL has deployed early protection against a rapidly proliferating variant of the Nuwar worm, which is spreading via emails containing seasonal greetings in the subject line. The rate of infection has picked up rapidly, and seems set to become one of the biggest threat outbreaks of the year.

Once a computer is infected, it looks for open mail proxies and begins sending email to infect other computers. The mass-mailing worm is already moving quickly across the Internet, installing multiple codes on victims’ computers and then protecting them with rootkit. Users of SonicWALL’s Unified Threat Management technology, which protects against viruses, Trojans, worms and other threats and vulnerabilities, automatically received updated signatures designed to repel the Nuwar worm.

The worm spreads via email, in most cases with the subject line "Happy New Year!" containing attachments typically named as one of the following: "Greeting Card.exe", "Greeting Postcard.exe", "Postcard.exe", "greeting card.exe", "greeting postcard.exe", or "postcard.exe". Upon execution, the worm attempts to disable running Anti-Virus processes and drops a Tibs Trojan on the infected computer system. Subsequently, the worm tries to download additional malicious code from the remote website.

During propagation, the worm sends a copy of itself by using its own SMTP engine to the email addresses found in the address book of the infected PC. In some instances, the worm sends a malformed executable copy (i.e. containing an incorrect executable header) that could be considered harmless and can simply be treated as SPAM email.

Very early samples of this variation on the Nuwar worm were first discovered in the wild on December 29th, 2006. On December 30th 2006 SonicWALL issued the following signatures designed to protect against this threat:

Gateway Anti-Virus Signatures

---------------

Nuwar.B (Worm)

Nuwar.C (Worm)

Intrusion Prevention Signatures

---------------

VIRUS Greeting Card.exe attachments 1 (SID: 1051)

VIRUS Greeting Card.exe attachments 2 (SID: 1052)

VIRUS Greeting Card.zip attachments 1 (SID: 1053)

VIRUS Greeting Card.zip attachments 2 (SID: 1054)