Nurech.A and Nuwar.D both spread in the same way. These malicious codes exploit the theme of Valentine’s Day by concealing themselves in emails with a range of romantic subjects. One subject used by the Nurech.A worm is "Together You and I" and another by Nuwar.D is "5 reasons I love you". The attached file contains a worm in the form of an executable file with names like flash postcard.exe or greeting postcard.exe.

Nurech.A is designed to end the processes of some security solutions and search for addresses on the infected computer in order to continue spreading. This worm uses rootkit functions to disguise its processes and to go unnoticed by security tools. Its quick propagation, infecting hundreds of computers, has led PandaLabs to declare an orange virus alert.

Although Nuwar.D was detected a few weeks ago, we mention it this week as it is still active and given the subjects it uses, users are advised to be on their guard with Valentine’s Day approaching. Nuwar.D is a downloader worm designed to download different types of malware from the Web, even an update of itself, and run them on the affected computer.

Nuwar.D also spreads by P2P. It checks if users’ ports normally used to connect to P2P file-sharing websites are open. If they are, Nuwar.D renames itself as a file ready to download and when users searching for a file with the same name download it, they will download this worm.

Hati.A is a malicious code designed to annoy the users it infects. This worm is run each time Windows is started and it disables various functions such as "Folder options" in the tool bar or the menus that are displayed when right-clicking on certain programs. This worm copies itself in the system and tries to conceal its presence turning its icon invisible and camouflaging itself as a legitimate Windows-file. It is recognizable, however, as a message is displayed when it is run. In order to spread, this worm copies itself in different mapped drives, where it remains waiting for someone to open it in order to be run.

"These types of worms are part of the new malware dynamic, aimed at financial gain. On many occasions these malicious codes are simply a trial to check what functions a malware must include in order to spread quicker. When they get to know those characteristics, worm-creators can modify them and add more dangerous functionalities probably aimed at stealing users’ money" explains Luis Corrons, Technical Director of PandaLabs.

The WindowsDisabler.A Trojan is a malicious code designed to cause errors in different versions of Windows operating systems. It disables Windows Explorer functions like "Run" or "Search"; it denies the execution of certain task manager commands and prevents the use of Microsoft’s control console, among others. This Trojan creates copies of itself in the system and is run every time users start Windows. It reaches computers by email or in a file downloaded from the Internet.

All users that want to know whether their computers have been attacked by these or other malicious code can use ActiveScan, the free solution available at: http://www.pandasoftware.com/activescan. It will carry out a complete inspection of the computer should there be any hints of infection.