At midnight GMT time, we started receiving reports of a new wave of Nuwar e-mails.  The e-mails contain the following text trying to convince a user into visiting a malicious website:

This Christmas, we want to show you something you will really enjoy.

This might not be fun for the whole family, but I bet you'll like it come one take 2 min and check it out.

http://<malicious website address/

The advertised website uses software exploits to infect visitors.  It also offers visitors a strip show application where “Each one does her best to make you really feel the Holiday Spirit!”

This new variant of Nuwar will copy itself to the Windows directory under the name disnisa.exe and create a registry key to launch the executable every time the system boots.  This threat is still using a peer-to-peer network protocol to establish communication between infected computers and their controller.

Pierre-Marc Bureau
Researcher