First version of this worm is known from december 2008. Nowadays it has 300+ several variants. More information could be found in Virus Lab Blog.
Propagation method of new Nuwar variant is still similar to its precedessors. Spammed mails with link in IP format directs users to the worm web pages where the users are prompted to download one of the worm files with the name funny.exe. Names of other downloadable files are kickme.exe and foolsday.exe. AVG detects this threat as I-Worm/Nuwar.R.
New Nuwar variant spreading method is similar to Nuwar.L last month propagation. Spammed emails are brief containing link in IP format to currently working pages with worm. Compromised page code is changed and and as a result user is prompted to download file with worm. Downloaded filename is valentine.exe it’s about 110 - 130kB long and it’s detected by AVG as I-Worm/Nuwar.N
We have a new wave of spammed mail messages containing link directing users to website where the worm could be downloaded. Emails contains short text and IP address of currently working pages with worm. In this case downloaded filename is withlove.exe and it’s about 115kB in size. Websites and worm files changes every few minutes. AVG detects withlove.exe as I-Worm/Nuwar.L.
In last few days we`ve registered a larger amount of PE files infected by this virus. Win32/Mabezat is polymorphic file infector which infects PE files. More information could be found in our Virus Encyclopedia.