Computer Security Research - McAfee Labs Blog

Nuwar circulating a fake topic – Beijing earthquake

Friday June 20, 2008 at 4:15 am CST
Posted by Shinsuke Honjo

Nuwar families are known for using social engineering to trick users to download themselves. As we mentioned in the blog last month, the topic of the earthquake in China has been used by malware authors for social engineering for weeks. This time, the most recent variant of Nuwar circulates a fake topic – Beijing earthquake (Not Sichuan earthquake!).

If users click on the fake video image, the file “beijin.exe” (W32/Nuwar@MM) is downloaded. However, users might be infected with Nuwar even if they don’t click it. This page has the iframe link to a malicious javascript.

Upon accessing the above page, the obfuscated javascript is downloaded and run because of the injected iframe. The JavaScript exploits the realplayer vulnerability CVE-2008-1309 and download another variant of Nuwar.
McAfee VSE blocks the script and detect as “JS/Exploit-Shell.gen”.

At the time of writing, the download file was corrupted.

This entry was posted on Friday, June 20th, 2008 at 04:15 and is filed under Bot and BotNet Research, Data Theft, Exploit Research, General Computer Security, Malware Research, Spam and Phishing. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.

Nuwar circulating a fake topic – Beijing earthquake

Leave a Reply

Archives

Categories