Submission Summary:

• Submission details:
• Submission received: 2 July 2008, 04:58:15
• Processing time: 4 min 35 sec
• Submitted sample:
• File MD5: 0x5A59B772B94E76C36CA8B5EE7C3FB452
• File SHA-1: 0x0192A611B8E80BB6E04A036BB5D567FD8602C112
• Filesize: 119,296 bytes
• Alias:
• W32/Nuwar@MM [McAfee]
• WORM_NUWAR.AAL [Trend Micro]

• Summary of the findings:

What's been found	Severity Level
Threat characteristics of the Storm worm (aka CME-711/Peacomm/Nuwar/Zhelatin/Tibs). This threat is normally received as an email attachment; it may consist of a rootkit, a peer-to-peer client, and a mass-mailing worm component. To bypass firewalls, its code may be injected and run from the legitimate services.exe process.
Capability to send out email message(s) with the built-in SMTP client engine.
Searching for email addresses by enumerating files with the certain extensions. This functionality is used by mass-mailers and spam-bots.
Backdoor functionality: connected remote users are able to perform multiple actions on the compromised system.
Downloads/requests other files from Internet.
Creates a startup registry entry.
Contains characteristics of an identified security risk.

Technical Details:

Possible Security Risk

• Attention! Characteristics of the following security risk was identified in the system:

Security Risk	Description
Email-Worm.Zhelatin	Email-Worm.Zhelatin normally received as an email attachment; may consist of a rootkit, a peer-to-peer client, and a mass-mailing worm component. Its code may be injected and run from the legitimate services.exe process in order to bypass firewalls.

• Attention! The following threat categories were identified:

Threat Category	Description
	A malicious backdoor trojan that runs in the background and allows remote access to the compromised system
	A network-aware worm that attempts to replicate across the existing network(s)

File System Modifications

• The following files were created in the system:

#	Filename(s)	File Size	File Hash	Alias
1	%Windir%\msvecurity.config	49,055 bytes	MD5: 0xC9F044CA56C50DBC55FE34E409B5A101 SHA-1: 0x96C214A124B31C05CFA1852647C0BE00137A32E9	(not available)
2	%Windir%\msvecurity.exe [file and pathname of the sample #1]	119,296 bytes	MD5: 0x5A59B772B94E76C36CA8B5EE7C3FB452 SHA-1: 0x0192A611B8E80BB6E04A036BB5D567FD8602C112	W32/Nuwar@MM [McAfee] WORM_NUWAR.AAL [Trend Micro]

• Note:
• %Windir% is a variable that refers to the Windows installation folder. By default, this is C:\Windows or C:\Winnt.

Memory Modifications

• There were new processes created in the system:

Process Name	Process Filename	Main Module Size
msvecurity.exe	%Windir%\msvecurity.exe	131,072 bytes
[filename of the sample #1]	[file and pathname of the sample #1]	131,072 bytes

Registry Modifications

• The newly created Registry Values are:
• [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\ITStorage\Finders]
• ID = 0x6C5C0AE5
• [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
• msvecurity = "%Windir%\msvecurity.exe"

so that msvecurity.exe runs every time Windows starts

Other details

• The following ports were open in the system:

• The following Internet Connection was established:

Heuristics Analysis

• Heuristically identified details of the peer-to-peer botnet that could be used to download the latest instructions: