(TR/Crypt.XPACK.Gen, Parser error, Generic.dx, Trojan.Win32.Patched.ad, TR/Small.DBY.M.1, Backdoor:WinNT/Nuwar.A!sys, Trojan.Patched.Peed.A, Trojan.Peed.BF, Virus:Win32/Nuwar.A, Email-Worm.Win32.Zhelatin.d, Trojan.Peed.KT, W32/Nuwar.worm, TR/Small.DBY.AN.3, Trojan.Win32.Patched.aq, TrojanDropper:Win32/Nuwar.B, Generic5.WJP, Win32.Banwarum.T@mm, Generic4.HPB, TROJ_SPAMTIBS.A, Downloader.Generic4.KGQ, W32/Dropper.gen6, Virus:Win32/Nuwar.B, Downloader.Tibs.5.BL)
Virus description added:
Size: 41 - 55 Kbytes
Affected OS: Win95/98/NT/2k/XP/2k3
Packed by: UPX
It was sent as spam mailing
Messages, containing this given malicious program, can have the following Subject:
Russian missle shot down Chinese satellite
Russian missle shot down USA satellite
The Supreme Court has been attacked by terrorists. Sen. Mark Dayton dead!
Fidel Castro dead!
Attachment is an executive file. Filename can be the following:
Being started by careless user, Trojan creates wincom32.sys file in system directory. This file is a driver, which downloads other malicious programs. Registers driver as a service in affected system. This service is reflected under wincom32 name. The worm modifies system registry through adding corresponding data:
Uses installed driver to search for service.exe process and to introduce its code into this process.
Contains P2P-networks function. For this creates peers.ini file of P2P-connection settings in system directory.
Opens in affected system UPD 4000 port and sends packages, trying to connect with available P2P tenants.
System recovery recommendations
1. Disconnect your computer.
2. Download Dr.Web CureIt! from known-pure computer which has an access to Internet.
3. Scan affected computer. Beforehand download it In Safe Mode (F8 button).
4. Delete HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wincom32
record in system registry using Regedit.