locked
Nuwar Worm using SBS 2003 Exchange SMTP- NDR Attack RRS feed

  • Question

  • 3 weeks ago, a clients SBS2003 w/Exchange SP2 got an NDR attack.  When we noticed it, no thanks to Symantec, ESM queue was over 120,000 messages, eating up 1MB per minute from the C: partion.  It got down to only 700MB free space, wheew... we stopped it.  Enabled filtering so only authenticated users could send messages using the smtp server.  Last Thursday, an attack happened again spoofed as from: service@paypal.com, leading us to believe it must be a zombie in our network.  I had all the in house and remote employees run online OneCare scans.  Got a call from a remote user useing Outlook 2003 via POP access and using the server as the outgoing server.  OneCare discovered worm:win32/nuwar.f@m, trojan:win32/vxidl.gen!da, trojan:win32/tibs.den!b, and trojan:win32/tibs.dk.  I've been reading up on the Nuwar war, I have yet to find reference to the "Nuwar.F@m" virus, or Nuwar showing up as service@paypal.com.  Plus many of the AV sites tell me that Nuwar setsup its own smtp server, not that it uses the existing server. 

    Is this just a different form of the worm?
    or
    Should I assume there is another zombie in the company?

    Kind Regards,
    Chris


    Tuesday, September 18, 2007 2:43 PM

Answers

  • Here's what I found on the Nuwar.f@m search on the Microsoft Malware Protection Center page - http://www.microsoft.com/security/portal/SearchResults.aspx?query=Nuwar.F@m

     

    You may want to contact Microsoft Security - this number is posted regularly by Milo, one the security MVPs - (866 727 2338 ) US/CANADA

     

    Technically, you're off topic for here as this forum is the installed PC version of Windows Live OneCare and I think you had your users perform an online scan using the Safety Scanner. The definitions would be the same, though, for threats detected as both products are based on the definitions from the Microsoft Antimalware team.

    -steve

     

     

    Tuesday, September 18, 2007 5:54 PM
    Moderator

All replies

  • Here's what I found on the Nuwar.f@m search on the Microsoft Malware Protection Center page - http://www.microsoft.com/security/portal/SearchResults.aspx?query=Nuwar.F@m

     

    You may want to contact Microsoft Security - this number is posted regularly by Milo, one the security MVPs - (866 727 2338 ) US/CANADA

     

    Technically, you're off topic for here as this forum is the installed PC version of Windows Live OneCare and I think you had your users perform an online scan using the Safety Scanner. The definitions would be the same, though, for threats detected as both products are based on the definitions from the Microsoft Antimalware team.

    -steve

     

     

    Tuesday, September 18, 2007 5:54 PM
    Moderator
  • Sorry about posting in the wrong forum.  I just followed some links to this forum searching Nuwar from Onecare.  Can you suggest any other forum to post?  The MS Malware Protection just says it is a mass-mailer, duh.  I just wish to find out if it could be using the SMTP server from Exchange, and if any occuraces have been detected using service@paypal.com. 
    Thanks,
    Chris
    Wednesday, September 19, 2007 4:23 AM
  • No need for an apology. :-)

    There is a security topic on the public newsgroups - 

    http://www.microsoft.com/communities/newsgroups/default.mspx

     

    But I think your best bet would be one of the security forums - non-Microsoft - as there are many very knowledgeable people frequenting them. One would be hosted here - 

    http://aumha.net/

     

    And, of course, the phone number above may be worth calling.

    -steve

    Wednesday, September 19, 2007 6:57 PM
    Moderator