The Indian
Computer Emergency Response Team (CERT-In), working under the Department of
Information Technology (DIT) has warned of a computer virus worm
which is very destructive in nature and
is being activated on every third day
of the English Calendar month. The
worm called Nyxem, a memory resident
mass mailing and its variants, is spreading in the wild to attack Microsoft
Windows systems. The worm propagates by sending an e-mail attachment to target
users. It also spreads through network shares. Upon activation, it replaces the content of user's files and
reduces the size of all user data files to 1KB. The worm has aliases such as W32.Blackmal.E@mm, W32/Kapser.A@mm,
W32/MyWife.d@MM, Win32/Blackmal.F, WORM_GREW.A [Trend Micro], Win32/Blackmal.F
[Computer Associates], Nyxem.e (F-secure)
How the worm works
When a user clicks on the
attachment it gets executed and performs the following actions.
·
Drop and open a .ZIP archive with the same name in the
Windows system folder to hide its functionality.
·
Copies itself to the system folder with the filenames: scanregw.exe, Winzip.exe
, Update.exe,movies.exe, Zipped Files.exe
·
Also copies itself to Windows folder with
filenames: Rundll16.exe, WinZip_Tmp.exe
·
Create the registry entry to enable its automatic execution
at every system startup
·
Hides files with both System and Read-only attributes
·
Deletes the files related to anti-virus applications
·
It attempts to spread to network shares with weak passwords
Nature of Subject and content of e-mail/attachments
·
The emails sent by the worm uses some obscene subject lines,
message content and attachments as detailed
below.
Subject: Mostly this contains obscene languages/ titles
Message body: (any of the following)
• forwarded message • forwarded message attached. •
hello, • Helloi attached the
details. • how are you? • i just any one see my photos. • i send the details.
• i send the
file. • It's Free :) • Note: forwarded message attached. You
Must View This Videoclip! • Please see the file. • Thank you • The Best Videoclip Ever • the file i send the details • VIDEOS! FREE! (US$ 0,00) • What?
Attachment: (any of the following)
• 007.pif
• 3.92315089702606E02.UUE •
392315089702606E-02,.scR
• 392315089702606E-02,UUE{spaces}.scR • 677.pif • ATT01.zip.sCR
• Attachments00.HQX
• Attachments001.BHX •
Attachments[001],B64.sCr
• Attachments[001].B64 • Clipe,zip.sCr •
document.pif • DSC-00465.pIf
• eBook.PIF •
eBook.Uu • image04.pif • New Video,zip
•
New_Document_file.pif • Original
Message.B64 • photo.pif
•
Photos,zip.Scr •
School.pif • Video_part.mim
• WinZip,zip.scR
• WinZip.BHX •
WinZip.zip.sCR • Word XP.zip.sCR • Word.zip.sCR
•
Word_Document.hqx •
Word_Document.uu
Do's
·
Scan the system to check infection of the worm by running
removal tools as referred on CERT-In
website (Virus Alert)
·
Install and maintain updated Anti Virus software
·
Block e-mails with the subjects and attachments mentioned
above at the e-mail gateway level
·
Block executable and unknown file types at the e-mail
gateway
·
Send and receive e-mails in plain text
·
Backup all important data files
·
Apply appropriate security updates at OS and application
level
Don’ts
·
Do not open suspicious e-mails
·
Do not open mail if it has some funny subject/attachment
·
Exercise caution while opening email attachments
·
Do not visit un-trusted websites
·
Do not download and install software of unknown origin
For further information refer to CERT-In Virus Alert
http://www.cert-in.org.in/virus/nyxem_e-worm.htm
Contact CERT-In Incident Response
Help Desk for any queries and help
Email : incident@cert-in.org.in
Tel. : 1800 11 4949 (Toll free)
FAX : 1800 11 6969
(Toll free)
RM/AMA – 020306 Virus
(Release ID :16084)