Worm_Nuwar.JQ arrives as attachment to email messages spammed by another malware or by a malicious user.

It drops a copy of itself. It also drops a non-malicious file.


The worm creates a registry entry to enable its automatic execution at every system startup. It also modifies registry entries as part of its installation routine.

It drops a component file detected by Trend Micro as RTKT_NUWAR.AA.

It propagates by sending email messages with links that redirect browsers to Web sites that contain a downloadable copy of itself.

More information can be found at this Symantec page.