Worm_Nuwar.EN propagates via email. On spammed email messages purporting to be ecards sent by contacts known to a target user, it includes a link where a copy of itself can be downloaded.

The message body of these spammed email are in GIF format. This qualifies these messages as image spam, a type of spam known for its ability to effectively escape email content filters.

Possibly in connection with its email propagation routine, it synchronizes the time of an affected system with a Network Time Protocol (NTP) server.


Moreover, it employs rootkit techniques to hide its files and processes. This routine enables it to avoid detection and easy removal from an affected system.

Technical details can be found at this Trend Micro page.