Week in review: Alanchum.NX and Cimuz.CM trojans and the Nuwar.D worm
Alanchum.NX is a downloader Trojan which is downloaded onto computers by the Gagar.CG Trojan. Like all downloader malware, it is capable of downloading files from the Internet, installing and running them on the affected computer. Alanchum.NX can download its own updates in order to spread new variants. This Trojan steals email addresses stored on infected computers in order to spam them and also sends them to other compromised computers to do the same. This results in a significant increase in network traffic with the corresponding resource wastage. Each update is programmed to change the subject of the messages it sends, using subjects such as “Fidel Castro Dead” “Hugo Ch??vez dead” or “Sadam Hussein Alive” to tempt users into opening them.
Some Alanchum.NX variants have rootkit features developed to conceal the processes the Trojan executes on the computer and making it more difficult to detect. Panda Software’s TruPreventTM Technologies however, detected Alanchum.NX and its variants from the outset.
Cimuz.CM is a Trojan that copies itself onto the system once it reaches the computer, whether it is by email, through a file downloaded from the Internet or other means. Cimuz.CM is specialized in stealing all the information stored on a system, especially passwords. When it is run, it could return an error message that could warn the user of the malware’s presence.
Both malicious codes are designed to gather users’ confidential data that can be used to obtain economic benefits. If users have credit card numbers, online banking passwords or other confidential information stored on the system, they could be quickly and easily swindled.
Nuwar.D is a downloader worm designed to download and run different malware variants, including its own update. Nuwar.D also creates copies of itself on the system. The subject of the email in which this worm is received is variable, whiled the attached file is an executable with names such as Flash Postcard.exe or greeting postcard.exe. In order to spread, it creates a series of random IPs it tries to connect itself to in order to leave a copy of itself on them. It also checks if users are connected to certain P2P file exchange networks. If they are, Nuwar.D renames itself and appears to be a file ready to download for the network’s server, so if a user is looking for a file that has the same name the worm has given itself, instead of downloading the correct one, he will download the worm.