We all know that Nuwar aka Storm gang has been continuously changing their spam email text, download sites, executables, network traffic patterns etc in their efforts to penetrate through the security defenses at various layers, all throughout this year. I had a chance to briefly look at a ‘fresh’ Nuwar sample this weekend. It is interesting that they have now also changed the names of files Nuwar drops. It now drops noskrnl.exe, noskrnl.sys and noskrnl.config instead of Spooldr.exe, Spooldr.sys, and Spooldr.ini correspondingly. It also tried to actively propagate by coping itself on the floppy drive, which is new.

It is not the first time that the names of dropped files have been changed (it used to be wincom earlier this year) but it did not change in the past few months. Users, especially those who use system diagnostic tools, should exercise caution in distinguishing noskrnl from the legitimate ntoskrnl.exe. Perhaps spooldr had become too well known for author’s comfort, search results for spooldr clearly indicate what it is but not for noskrnl for the time being. Anyways, we detect these as Tibs-Packed.