 |
| A "mass-mailer" worm is currently spreading over Internet in an malicious English New Year cards. |
|
Since yesterday, a mass-mailer worm is spreading with the form of an English New Year card (named "Luder"/"Nuwar"/"Nuwar.AY"/"Dref-U"/"Mixor.Q" according to the anti-virus éditors).
Other variants of this worm have been released today. Actually, these variants are more or less detected by all the anti-virus.
Their spreading seems to be important (for instance several infected e-mails have been received by Cert-IST in France).
Subjects used by the malicious e-mail :
- Annual Fun Forecast!
- Baby New Year!
- Best Wishes For A Happy New Year!
- Fun 2007!
- Fun Filled New Year!
- Happiness And Continued Success!
- Happiness And Success!
- Happiness In Everything!
- Happy 2007!
- Happy New Year!
- Happy Times And Happy Memories!
- May Your Dreams Come True!
- New Hopes And New Beginnings!
- New Year... Happy Year!
- Promises Of Happy Times!
- Raising A Toast To Happy Times!
- Scale Greater Heights!
- Sparkling Happiness And Good Times!
- Warm New Year Hug!
- Warmest Wishes For New Year!
- Welcome 2007!
- Wish You Smiles And Good Cheer!
- Wishing You Happiness!
- Wishing You Happy New Year!
Filenames used by the malicious attachment :
- postcard.exe
- Postcard.exe
- greeting card.exe
- Greeting Card.exe
- greeting postcard.exe
- Greeting Postcard.exe
Initially, once installed on the system, the worm attempts to connect to a web site (81.177.3.175 for the initial code) in order to download other malwares. The worm also attempts to stop security processes (anti-virus, personal firewall) and to infect executable files.
Recommendations :
- Update regularly your anti-virus solutions.
- Filter e-mails with the characteristics described above (subjects and attachments).
- Update the SNORT signatures
- Licensed rule (VRT) : SID 9425
http://www.snort.org/vrt/
- Pubiic rule :
alert
tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"VIRUS OUTBOUND bad file
attachment";flow:to_server,established;content:
"Content-Disposition|3A|";<BR>>nocase;pcre:"/filenames*=s*.*?.(?=[abcdehijlmnoprsvwx])(a(d[ep]|s[dfx])|c([ho]m|li|md|pp)|d(iz|ll|ot)|e(m[fl]|xe)|h(lp|sq|ta)|jse?|m(d[abew]|s[ip])|p(p[st]|if|[lm]|ot)|r(eg|tf)|s(cr|[hy]s|wf)|v(b[es]?|cf|xd)|w(m[dfsz]|p[dmsz]|s[cfh])|xl[tw]|bat|ini|lnk|nws|ocx)[x27x22
s]/iR";classtype:suspicious-filename-detect;sid:721;rev:8;
Additional documentation :
|
|
|
|
