Another week, another scheme from the Nuwar gang. We started receiving reports early this morning that new variants of Nuwar are being advertised through spam. Some of the e-mail subjects include "Please open your ecard." and "This ecard is hillarious!". The e-mail contains, as usual, a very simple text and a link to a host infected by Nuwar that acts as a proxy to serve malware. The malicious page doesn’t include any exploits this time. It simply tries to convince visitors to download and execute a file called "ecard.exe" or postcard.exe.
After execution, the executable writes two files in the C:windowssystem32 folder. One file called diperto.ini, this is the peer-to-peer configuration file. The other file is called dipertoXXXX-XXX.sys where the ‘X’ are random number and letters. This is the system driver that injects code into other processes and has rootkit capabilities to hide this malware. Our antivirus detects the electronic card executable as "probably a variant of Win32/Nuwar.Gen" and the system driver as "Win32/Nuwar.BW worm".
Author Pierre-Marc Bureau, ESET