CERT-In:Indian Computer Emergency Response Team

HOME > VIRUS ALERTS

VIRUS ALERTS

Nyxem_e/Blackmal/GREW/MyWife/Kamasutra Worm

Original issue date: January 23, 2006
Updated on: February 01, 2006

It has been observed that a memory resident mass mailing worm called Nyxem and its variants are spreading in the wild to attack Microsoft Windows systems. The worm propagates by attaching a copy of itself to email messages that it sends to the target harvested address using its own SMTP engine. Attachments may be executable file or MIME file containing executable file and propagates via e-mail and network shares.

The worm has aliases such as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife.d@MM, Win32/Blackmal.F, WORM_GREW.A [Trend Micro], Win32/Blackmal.F [Computer Associates], Nyxem.e (F-secure)

The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

Upon execution this worm attempts to:

Drop and open a .ZIP archive with the same name in the Windows system folder to hide its functionality.
Copies itself to %system% with the filenames: scanregw.exe, Winzip.exe , Update.exe,movies.exe, Zipped Files.exe
Also copies itself to %Windows% with filenames: Rundll16.exe, WinZip_Tmp.exe
Create the registry entry to enable its automatic execution at every system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry=scanregw.exe /scan

HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer \Advanced WebView
Hides files with both System and Read-only attributes by modifying the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = "dword:00000000"

Modify registry values

HKCU\Control Panel\BMale
HKCU\Control Panel\DNS

Deletes autostart registry entries.
The emails sent by the worm uses some obscene subject lines, message content and attachments as given below:

Subject: (any of the following)

• ----- forwarded message -----
• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fw: DSC-00465.jpg
• Fw: Funny :)
• Fw: Picturs
• Fw: Real show
• Fw: SeX.mpg
• Fw: Sexy
• Fwd: Crazy illegal Sex!
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clip or clipe
• Photos
• School girl fantasies gone bad
• Re: Sex Video

Message body: (any of the following)

• forwarded message
• forwarded message attached.
• Fuckin Kama Sutra pics
• hello,
• Helloi attached the details.
• Hot XXX Yahoo Groups
• how are you?
• i just any one see my photos.
• i send the details.
• i send the file.
• It's Free :)
• Note: forwarded message attached. You Must View This Videoclip!
• Please see the file.
• ready to be FUCKED ;)
• Thank you
• The Best Videoclip Ever
• the file i send the details
• VIDEOS! FREE! (US$ 0,00)
• What?

Attachment: (any of the following)

• 007.pif
• 3.92315089702606E02.UUE
• 392315089702606E-02,.scR
• 392315089702606E-02,UUE{spaces}.scR
• 677.pif
• Adults_9,zip.sCR
• ATT01.zip.sCR
• Attachments00.HQX
• Attachments001.BHX
• Attachments[001],B64.sCr
• Attachments[001].B64
• Clipe,zip.sCr
• document.pif
• DSC-00465.pIf
• eBook.PIF
• eBook.Uu
• image04.pif
• New Video,zip
• New_Document_file.pif
• Original Message.B64
• photo.pif
• Photos,zip.sCR
• School.pif
• SeX,zip.scR
• Sex.mim
• Video_part.mim
• WinZip,zip.scR
• WinZip.BHX
• WinZip.zip.sCR
• Word XP.zip.sCR
• Word.zip.sCR
• Word_Document.hqx
• Word_Document.uu

The worm harvests addresses from files found on the machine that have the extensions such as:

.HTM, .DBX, .EML, .MSG, .OFT, .NWS

Deletes the files related to anti-virus applications such as
%ProgramFiles%\Symantec\LiveUpdate\*.* ,
%ProgramFiles%\Norton AntiVirus\*.exe %ProgramFiles%\McAfee.com\shared\*.* ,
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl

It attempts to spread to network shares with weak passwords using the name WINZIP_TMP.exe.
On Windows NT, 2000, XP, and Server 2003, it also creates a scheduled task using Windows Task Scheduler to execute the dropped copy on the 59th minute of every hour after it is dropped. It creates .JOB files in the %Windows%\Tasks folder to create a scheduled task.
This worm also modifies the DESKTOP.INI. The said modification enables this worm to execute the dropped file, TEMP.HTT every time a folder or a drive, including a floppy drive, is accessed. It then drops the two mentioned files, along with a copy of itself as WINZIP_TMP.EXE into every available folder or drive, also including floppy drives. The attributes of the said files are set to Hidden in an attempt to avoid easy detection.
The worm also contacts the " webstats.web.rcn.net " site, presumably to record a new system compromise.

Prevention and Suggested actions:

Update Anti Virus software regularly
Block emails with the subjects and attachments mentioned above at the email gateway level
Exercise caution while opening email attachments
Block executable and unknown file types at the email gateway
Backup all important data files
Apply appropriate security updates at OS and application level

Free Removal Tools:

Common Malware Enumeration CME ID : CME-24

References

Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003

Home || Feedback || FAQ || Disclaimer