 |
Spyware Warrior
Help with Spyware, Hijacking & Other Internet Nuisances
|
| View previous topic :: View next topic |
| Author |
Message |
quietman7
Warrior Addict
Joined: 20 Dec 2004
Last Visit: 28 Mar 2012
Posts: 768
Location: Virginia, USA
|
 Posted: Wed Jan 18, 2006 4:54 am Post subject: New Email-Worm.Win32.VB.bi spreading |
 |
|
Email-Worm.Win32.VB.bi
It is already 3rd on the list. See F-Secure virus statistics
_________________
Microsoft MVP - Consumer Security 2007-2012 
Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
| Back to top |
|
 |
quietman7
Warrior Addict
Joined: 20 Dec 2004
Last Visit: 28 Mar 2012
Posts: 768
Location: Virginia, USA
|
| Posted: Sat Jan 21, 2006 5:15 am Post subject: |
|
|
| Quote: |
Friday, January 20, 2006
A new email worm Nyxem.E is picking up. We are seeing more reports of it. FSAV detects it with update version 2006-01-20_01 published early this morning.
We upgraded Nyxem.E to Radar level 2 due to the increased number of reports.
The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB,
MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.
The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it's already over 417,000 and growing. The counter didn't necessarily start from zero. |
f-secure.com/weblog
Nyxem.E Info page
_________________
Microsoft MVP - Consumer Security 2007-2012
Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
| Back to top |
|
|
quietman7
Warrior Addict
Joined: 20 Dec 2004
Last Visit: 28 Mar 2012
Posts: 768
Location: Virginia, USA
|
| Posted: Mon Jan 23, 2006 6:54 am Post subject: |
|
|
| Quote: |
| The web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising...If the worm keeps this pace, Friday the 3rd of February might be nasty - that's when the destructive payload is programmed to strike for the first time. |
f-secure.com/weblog/archives
_________________
Microsoft MVP - Consumer Security 2007-2012
Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
| Back to top |
|
|
quietman7
Warrior Addict
Joined: 20 Dec 2004
Last Visit: 28 Mar 2012
Posts: 768
Location: Virginia, USA
|
| Posted: Wed Feb 01, 2006 5:55 am Post subject: |
|
|
First reports of Nyxem damage
| Quote: |
The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.
When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.
We have a free tool available to help disinfect machines before the deadline passes. |
Kama Sutra email worm advice
Symantec W32.Blackmal@mm Removal Tool
_________________
Microsoft MVP - Consumer Security 2007-2012
Member of UNITE, Unified Network of Instructors and Trusted Eliminators |
|
| Back to top |
|
|
jason1e2
Junior Member
Joined: 12 Sep 2005
Last Visit: 17 Jun 2008
Posts: 43
|
| Posted: Fri Feb 03, 2006 6:49 am Post subject: |
|
|
About BlackWorm
Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').
The first thing you should do is to update your anti virus signatures.
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names.
How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.
What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Note:Do not open any e-mail that contain sexual attachments or words to prevent getting the virus.
source:
http://isc.sans.org/diary.php?storyid=1067 |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
smartBlue Style © 2002 Smartor
Powered by phpBB © 2001, 2002 phpBB Group
|
