One to watch - Nyxem.E

Started by Eric the Red, January 22, 2006, 10:54:30 PM

Previous topic - Next topic

0 Members and 1 Guest are viewing this topic.

Eric the Red

Just a heads up at this stage, if you have updated your AV and scanned your drives it should not be a problem for you but this little worm is quite nasty in that, on February 3rd (and the third day of each subsequent month) it will attempt to delete files on infected computers, as reported by F-Secure:

QuoteThe worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB,
MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.


Keep an eye on this....
"The time to start running is around about the "e" in "Hey, you!" "

GR@PH;<'S

Eric the Red,
Thanks for the warning


GR@PH;<'S   :breakkie:
press Enter then have a Brandy then if the problem is still there have another Brandy
Q: does it work
A: It does seem to for a few hours at least.

Eric the Red

There is an excellent analysis of this worm at Fortinet
and Fortinet make the comment:

QuoteThe virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed -

Personally, I haven't seen this sort of behavior before and if this a sign of things to come ... We live in interesting times  :(
"The time to start running is around about the "e" in "Hey, you!" "

Eric the Red

It would appear that our good friends at the Internet Storm Center are acting as the brokers of information about this threat which is going under the generic name of "Blackworm". The ISC are maintaining an updated webpage here.

The Common Malware Enumeration team have pulled together the different names given to this worm by the various antivirus vendors:

Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

As this worm will attempt to disable AV some of the antivirus vendors have developed removal tools to counter this threat. Check your vendor's website first if you suspect you have this infection.
"The time to start running is around about the "e" in "Hey, you!" "

Eric the Red

Update: Already reports of damage are being seen on computers where the internal clock is not accurate, see this F-Secure page.
QuoteWhen Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

F-Secure have posted a removal tool.
"The time to start running is around about the "e" in "Hey, you!" "