I’ve gotten numerous calls about this piece of spam today, so I thought I’d blog it:
From: Administrator <sender changes>
To: <client name>
Sent: Sun Jul 08 18:15:22 2007
Subject: Worm Alert!Dear Customer,
Our robot has detected an abnormal activity from your IP adress on sending e-mails. Probably it is connected with the last epidemic of a worm which does not have official patches at the moment.
We recommend you to install this patch <url omitted> to remove worm files
and stop email sending, otherwise your account will be blocked.Administrator
According to PC Tools’ ThreatExpert service, the trojan copies itself to the Windows system folder as ‘windev-72b5-203e.sys’ (md5: 8e2410698872f116620cbd7846adfa34) and registers the file as a service in order to load when Windows is started.
Detection names among vendors vary greatly and include the following:
- TR/Small.DBY.DB (AntiVir)
- Win32:Tibs-BAC (Avast)
- Downloader.Tibs.6.K (AVG)
- Trojan.Peed.OQ (BitDefender)
- W32/Tibs.MV@mm (Fortinet)
- Packed.Win32.Tibs.ab (Ikarus, Kaspersky)
- McAfee 5069 07.06.2007 W32/Nuwar@MM (McAfee)
- Worm:Win32/Nuwar.JT (Microsoft)
- Win32/Nuwar (Nod32)
- Tibs.gen124 (Norman)
- Mal/Dorf-A (Sophos)
- Trojan.Packed.13 (Symantec)
- Possible_Nucrp-3 (Trend)
Recommended Action:
Don’t download it – update your anti-virus signatures.