Home / malwarePDF  


First posted on 27 March 2020.
Source: Microsoft

Aliases :

Backdoor:Win32/Nuwar.A is also known as Win32/Pecoan, Email-Worm.Win32.Zhelatin.gn, W32/Nuwar@MM, W32/Dref-AP, Storm.Worm.

Explanation :

Backdoor:Win32/Nuwar.A is a backdoor Trojan that allows unauthorized access to an infected computer. The Trojan receives commands indirectly from a remote attacker via its connection to a malicious peer-to-peer network. This Trojan also contains advanced stealth functionality that allows it to hide particular files, registry entries and registry values. When executed, Backdoor:Win32/Nuwar.A peforms the following actions: Creates a configuration file wincom32.ini which contains a list of peers to connect to initially (see 'Backdoor Functionality' section below for further detail). Drops a kernel driver wincom32.sys which is then installed, using the file name (minus the extension) as the display name (as in wincom32) - this driver is detected as Backdoor:Win32/Nuwar!sys Creates a mutex named 'E8dK894Lm9#sF2i$sOBq2X', which it uses as a marker to prevent re-installation attempts if the driver is already running. Injects a malicious payload into "services.exe". The consequence of this action will make any network activity appear to originate from services.exe. Attempts to modify 'Windows Time' configuration settings. Note:  refers to a variable location that is determined by the malware by querying the Operating System. The default installation location for the System directory for Windows 2000 and NT is C:WinntSystem32; and for XP and Vista is C:WindowsSystem32.   Advanced Stealth FeaturesThe kernel mode driver, wincom32.sys, hides files, registry keys and registry values beginning with the string 'wincom32' by hooking the following functions: NtEnumerateKey NtEnumerateValueKey NtQueryDirectoryFile   Backdoor FunctionalityThe component that was injected into services.exe attempts to join a P2P network, where directives can be exchanged between like peers. Once connected to the network, active peers can be instructed to download and execute arbitrary files.

Last update 27 March 2020