描述:
Nifty social engineering to get in, a worm partner to propagate, and rootkit technology for stealth measures all make the TROJ_SMALL.EDW and WORM_NUWAR.CQ combination effectively damaging.
Reminiscent of 2005's TROJ_DONBOMB.A, TROJ_SMALL.EDW piggybacks on chaos, this time on the storm "Kyrill" that ravaged central Europe. It is considered the first big threat to open 2007.
An already proven technique as shown by the WORM_BOBAX.P and TROJ_SMALL.AHE partnership mid-2005, the attack stepped up a notch when it teamed with the already prevalent WORM_NUWAR family (notorious for its catchy war-related email subjects). The results were as devastating as the real-life wars and natural catastrophes these malware use to propagate.
TROJ_SMALL.EDW creates a non-traditional P2P-based botnet, providing a channel through which all compromised machines can communicate. Its partnership with WORM_NUWAR.CQ suggests that this botnet aids NUWAR's spam strike -- NUWAR is known to create a zombie network that sends "pump-and-dump" spam.
To read a comprehensive article that examines the routines and ultimate goals of the TROJ_SMALL.EDW-WORM_NUWAR.CQ tandem in-depth, click here: [font color=red]TROJ_SMALL.EDW Storms into Inboxes, Teams Up with NUWAR to Create Unique Network[/font].
In an interesting twist, latest analysis has found that the botnet created by TROJ_SMALL.EDW has a distributed denial of service (DDoS) functionality that targets specific IP addresses known to be used by variants of another malware family that also sends spam -- STRATION. STRATION is known to send pharmaceutical spam. This is clearly a competition for resources.