Aliases: W32/Dref-V, WORM_NUWAR.BH, WORM_NUWAR.EE, Win32/Luder.U
Variants: Win32/Luder.O, W32/Dref-AA, W32/Tibs, [email protected]

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Fast
Geographical info: North America, South America, Asia, Europe, Australia
Removal: Hard
Platform: W32
Discovered: 29 Dec 2006
Damage: Medium

Characteristics: This malware is mass mailing worm that can drop security threats to the already infected computer system. It likewise attempts to drop the Trojan.Peacomm or the Trojan.Galapoper.A malware. The W32.Mixor worm is also capable of terminating processes that it detects as security related.

More details about W32.Mixor

Upon execution in the host machine, the W32.Mixor worm will copy itself as four .exe and one .dll file. It will then drop a Trojan in the system and create an XML and CSV file. Next, the worm will create several registry entries that will allow it to start with Windows. It will likewise modify a registry entry to deactivate the Shared Access service and end security associated processes if one of the words in its predetermined list is found in the window’s title. This worm retrieves an encrypted configuration file from a remote server. This configuration file will be used for downloading additional threats and running an array of components from predefined remote locations. The worm the proceeds to obtain email addresses from address book of Windows by scanning a particular file linked to a particular registry subkey.

This malware can also collect email addresses on fixed drives from files with the extensions .TXT, .HTM, HTA and several others. However, it will avoid sending email messages to domains with the strings .gov or .mil. While collecting email addresses, the worm will disregard addresses that have security associated strings, such as those with the name of an antivirus product or Windows security application. The gathered email addresses will be sent by the worm to a remote location. The W32.Mixor worm will also be commanded to send infected emails by using its very own SMTP engine. The address of the infected email will be spoofed and the message body will be left blank. The infected attachment that contains the worm’s code will have a filename related to greeting cards and with the .exe extension.