F-Secure Virus Descriptions : Nyxem
[Summary] | [Detailed Description] | [Detection]
|
|
|
Nyxem worm was found on March 25th, 2004. The worm spreads in
e-mails using an external SMTP engine. It sends itself with
different subjects, body text and attachment names. The worm also
copies itself multiple times to an infected hard drive. The worm
can damage installations of several anti-virus programs.
Additionally the worm can spread to network shares and perform a
DoS (Denial of Service) attack.
The worm's file is a PE executable 76060 bytes long packed with
UPX file compressor. The worm is written in Visual Basic and it
uses p-code instead of native code in its file.
The worm also contains two DLL and one GIF files. One of those
DLL files is an external SMTP engine that the worm uses to
spread, the other DLL is used to DoS a website. The GIF file is
used to make a recipient of infected e-mails think that the
message was scanned by Norton Anti-Virus and no infection was
found:
The worm uses an interesting technique. The are always 2
processes of the worm in memory. If one process gets killed, it
is restarted by another process shortly. The same technique was
used by Sober worm in the past.
Installation to system
When the worm's file is run, it installs itself to system and
shows a fake error messagebox:
The worm copies itself multiple times on a hard disk. It creates
multiple ZIP arhchives in Windows System folder with .ZIP and
.TGZ extensions. These archives contain the worm's file with
different names.
The worm copies its executable files with different names
(usually borrowed from other applications) to different folders
on a local hard drive including the \TEMPORARY subfolder in
Windows folder (the worm creates this folder). Then the worm
creates startup keys for 2 of the copied files:
[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]
@="C:\WINDOWS\SYSTEM32\<file.ext>"
"<file.ext>"="C:\WINDOWS\TEMPORARY\<file.ext>"
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
@="C:\WINDOWS\TEMPORARY\<file.ext>"
"<file.ext>"="C:\WINDOWS\SYSTEM32\<file.ext>"
where <file.ext> is the worm's file name, for example REGEDIT.EXE
or EXPLORER<space>.EXE. This way 2 worm's files are started at
the same time when Windows loads. The worm also creates the
BLACKWORM.EXE and FIX_BLACKWORM.COM files in Windows System
folder as well as a bunch of files with .SCR extension. The
WIN<space>32.EXE file is created in Windows folder. The <space>
in the above file names represents space character.
Spreading in e-mails
The worm spreads itself in e-mails with different subject and
body texts and different attachment names. Before spreading, the
worm collects e-mail addresses from a computer. It scans files
with .HTM and .DBX extensions and also Yahoo messenger profile
folder.
The worm can send 2 types of messages. The subject of the first
type of message is selected from the following list:
FW: (-Sucking-)
FW: File - WebCam.mpeg
FW: **Hot Movie**
Re: Why? Form Back.mpg
FW:RE: Least *21* Years
Re: Double suck (movie
FW:Re:Hot Erotic
very hot XXX
Video Clip
RE: FW: Women Mpeg
Asses Mpeg's
FW: Lesbian & gays Mpeg
Fw: My Funny Ass
<<~SEX~>> TeenRapers.mov
The body of the first type of message is selected from the
following variants:
Babe sucking black Dog MPEG
funny movie
hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd ,
big ole booty, jus lovin life, until i get my pics posted in here you can
either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com,
either way works for me..i hope to become very active in this group, i like
to get to know people, like to get on cam once in a while, jus to chill,
when they aint none home..thats why its once in a while yaknow..anyways
jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
Dozens of Free Video Clips to download.Many Niches. Updated regularly and more
added daily.Taken From Vivi's Lovely Briefcase.
very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video
Mpeg's Mpeg Video Clips
Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is
a real swingers group!! I'm attatching a Video Clip of my wife if interested
in checking it out!
-==This server does not support Transfer Big Movies==-
wo Hotttt gurls sucking a hansum cock Softly
Watch the Paris Hilton Sex Tape for Free!
Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
Here is another Vclip of my daily group :|
All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
u Love asses? Here is a great ass open wide waitin for ur lil Cock
Bye
movie attached open by media Player 7.1
when i saw my ass i slept 3 hours why?? check my ass sorry my movie
LOOOOOOOOL joke (^!^)
Bye
Check This ?ucking Babe ;D
?ucking = Sucking=F*cking
The attachment name of the first type of message is selected from
the following list:
17Ag_double_suck__part[2].MPEG_.scr
April_FromTexas.MPEG_.scr
Video_briefcase_Group[13].MPEG_.scr
Julia_1997_F*cking.MPEG_.scr
juanita_in_the_kitchen.MPEG.scr
After_2AM_small_room[4].MPEG__.scr
Graham_Hilton_Sex[4].MPEG__.scr
WebCam_12girls_Ass.mpeg_.scr
Shakira_Anal_very_old.MPEG.scr
why_f*ck_anal_back.MPEG.scr
open_girl_21year.MPEG.scr
Ricky_Gay_ass.MPEG______________.scr
GrahamCluley_freakin_Ass_.MPEG__.scr
Sexual_Crimes.MPEG____.scr
The attachment can be also sent in a ZIP or TGZ archive. Please
note that the above message texts and attachment names were
modified to change obscene words.
The second message type of message that the worm sends looks like
that:
The worm can use different colors and font types for the above
message.
The subject of the second type of message is:
Fw: Virus Alert
The attachment to the second type of message is SCAN.ZIP or
SCAN.TGZ that contains the worm's file named FIX_BLACKWORM.COM.
Also the worm can attach its file as FIX_BLACKWORM.COM to the
infected message.
The worm's messages can contain a GIF file that is used to make a
recipient of infected e-mails think that the message was scanned
by Norton Anti-Virus and no infection was found. You can see this
GIF file in the beginning of this description.
Spreading to local network
The worm can spread via local network to computers that have open
shares with write access. The worm enumerates network shares and
copies itself there with one of its hardcoded names (see above).
When that SCR file is run on a remote computer, it becomes
infected. Additionally the worm's file can appear in a root
folder of a local hard drive if it is shared.
Payload
The worm periodically tries to delete the following files:
C:\Program Files\Norton AntiVirus\*.exe
C:\Program Files\McAfee\McAfee VirusScan\Vso\*.*
C:\Program Files\Trend Micro\PC-cillin 2002\*.exe
C:\Program Files\Trend Micro\PC-cillin 2003\*.exe
C:\Program Files\Trend Micro\Internet Security\*.exe
This way the worm can damage installations of several anti-virus
programs and render them inoperable.
Additionally the worm can perform a Denial of Service (DoS)
attack on the New York Mercantile Exchange website
(www.nymex.com).
The worm deletes startup Registry key values that belong to
various applications and malware including Bagle worm. The
following key values are deleted:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
PccPfw
PCCIOMON.exe
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
Taskmon
KasperskyAv
system.
msgsvr32
Windows Services Host
Explorer
Sentry
ssate.exe
winupd.exe
au.exe
OLE
Detection for this worm was published on March 25th, 2004 in the
following F-Secure Anti-Virus updates:
[FSAV_Database_Version]
Version=2004-03-25_01
Writeup:
Katrin Tocheva, March 25th, 2004;
Technical Details:
Alexey Podrezov, March 25th, 2004;
F-Secure Corporation
|
![](/images/pixel.gif"){kind=tracking}
