According to Ken Dunham of iDefense, this new variant worm includes anti-security measures to hinder analysis, and sends out copies of itself inside of a password protected ZIP file to evade anti-virus detection. Unfortunately, to further evade detection the e-mails sent are randomized with different filenames, different passwords, and different binaries within the ZIP file.
According to one source, the subject lines include:
"Worm Activity Detected!"
"Virus Activity Detected!"
According to SANS Internet Storm Center, the zip files appear to be named:
"patch-(random 4 or 5 digit number).zip"
"bugfix-(random 4 or 5 digit number).zip"
"hotfix-(random 4 or 5 digit number).zip"
"removal-(random 4 or 5 digit number).zip"
Once executed the new variant worm installs a rootkit on the infected system and communicates over a private peer-to-peer (P2P) network to update itself. This latest variation may be laying the groundwork for even more attacks in the near future, launching future releases from those machines already infected.
Trend Micro: Nuwar.AOO
Mitre.org Common Malware Enumeration: CME-711