Status: Real virus.
Example: [Collected via e-mail, July 2007]
Subject: Worm Alert!
Our robot has detected an abnormal activity from your IP adress on sending
We recommend you to install this patch to remove worm files and stop email sending, otherwise your account will be blocked.
Customer Support Center
Origins: There is
perhaps no virus lure more perfidious than one that proclaims to offer users protection from viruses while secretly infecting their PCs. That’s the camouflage used by the ‘Robot’ virus which began hitting inboxes in July 2007 — it looks like a helpful message from a system administrator informing the recipient that his PC is likely infected with a worm (detected by a robot’s spotting “abnormal activity from your IP adress” [sic]) and offering a patch the user can install to fix the problem. However, the patch itself is a trojan which installs itself in the Windows system folder as the file
The payload is a variation of malware that has been given variety of different names by different security vendors, including the following:
- Trojan.Packed.13 (Symantec)
- W32/Nuwar@MM (McAfee)
- Worm:Win32/Nuwar.JT (Microsoft)
- Mal/Dorf-A (Sophos)
Last updated: 11 July 2007