Email-Worm:W32/Nyxem

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

I-Worm.Nyxem, Hunchi, Mywife, Blackmal, Blackworm, Blueworm

Summary

Nymph is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses search engine of a webserver to find victim's email addresses. The worm is disguised as 'E-fortune cookie generator'. This worm is a variant of W32/Roach worm and it has a few serious bugs that don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

The worm's file is a PE executable 76060 bytes long packed with UPX file compressor. It is written in Visual Basic and it uses p-code instead of native code in its file.

Nyxem worm was found on March 25th, 2004.

Installation

When the worm's file is run, it installs itself to system and shows a fake error messagebox:

The worm copies itself multiple times on a hard disk:

  • Creates multiple ZIP archives in the Windows System folder, using .ZIP and TGZ extensions and differing names. Each archive containing the worm's file.
  • Copies of its executable files with different names (usually borrowed from other applications) to different folders on the local hard drive, including the \TEMPORARY subfolder in Windows folder (if necessary, the worm creates this folder)

The worm also creates the following files:

  • BLACKWORM.EXE and FIX_BLACKWORM.COM files in the Windows System folder
  • A bunch of files with the extension .SCR, also in the Windows System folder
  • WIN32.EXE file in Windows folder

In the above files, names represents the space character.

The worm uses an interesting technique to stay active. The worm maintains 2 processes in the computer memory. If one process iskilled, it is quickly restarted by the second process. The same technique was used by Sober worm in the past.

Payload

The worm periodically tries to delete the following files:

  • C:\Program Files\Norton AntiVirus\*.exe
  • C:\Program Files\McAfee\McAfee VirusScan\Vso\*.*
  • C:\Program Files\Trend Micro\PC-cillin 2002\*.exe
  • C:\Program Files\Trend Micro\PC-cillin 2003\*.exe
  • C:\Program Files\Trend Micro\Internet Security\*.exe

The worm can potentially damage the installations of several anti-virus programs, rendering them inoperable.

Additionally, the worm can perform a DoS attack on the New York Mercantile Exchange website (www.nymex.com).

Registry

During installation, the worm creates the following startup keys for 2 of the copied files, to ensure the files are automatically started each time the system starts:

  • [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run] @="C:\WINDOWS\SYSTEM32\" ""="C:\WINDOWS\TEMPORARY\"
  • [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run] @="C:\WINDOWS\TEMPORARY\" ""="C:\WINDOWS\SYSTEM32\"

where " is the worm's file name, for example REGEDIT.EXE or EXPLORER.EXE. T

The worm deletes startup Registry key belonging to various applications and malware, including the Bagle worm. The following key values are deleted:

  • NPROTECT
  • ccApp
  • ScriptBlocking
  • MCUpdateExe
  • VirusScan Online
  • MCAgentExe
  • VSOCheckTask
  • McRegWiz
  • McVsRte
  • PCClient.exe
  • PCCIOMON.exe
  • pccguide.exe
  • PccPfw
  • PCCIOMON.exe
  • tmproxy
  • McAfeeVirusScanService
  • NAV Agent
  • PCCClient.exe
  • SSDPSRV
  • Taskmon
  • KasperskyAv
  • system.
  • msgsvr32
  • Windows Services Host
  • Explorer
  • Sentry
  • ssate.exe
  • winupd.exe
  • au.exe
  • OLE

Propagation (email)

Nyxem propagates in an infected file attachment accompanying email messages with varying subject lines, body texts and attachment names.

Before spreading, the worm collects email addresses from a computer. It scans files with .HTM and .DBX extensions, as well as the Yahoo! Messenger profile folder.

The worm can send 2 types of messages. Characteristics of Type 1 email messages are as follows:

The Subject line is selected from the following list:

  • FW: (-Sucking-)
  • FW: File - WebCam.mpeg
  • FW: **Hot Movie**
  • Re: Why? Form Back.mpg
  • FW:RE: Least *21* Years
  • Re: Double suck (movie
  • FW:Re:Hot Erotic
  • very hot XXX
  • Video Clip
  • RE: FW: Women Mpeg
  • Asses Mpeg's
  • FW: Lesbian & gays Mpeg
  • Fw: My Funny Ass
  • <<~SEX~ > > TeenRapers.mov

The body text is selected from the following list:

  • Babe sucking black Dog MPEG
  • funny movie
  • hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye
  • Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.
  • very good movie > > > Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips
  • Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!
  • -==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly
  • Watch the Paris Hilton Sex Tape for Free! Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips
  • Here is another Vclip of my daily group :|
  • All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes
  • u Love asses? Here is a great ass open wide waitin for ur lil Cock Bye movie attached open by media Player 7.1
  • when i saw my ass i slept 3 hours why?? check my ass sorry my movie LOOOOOOOOL joke (^!^) Bye
  • Check This ?ucking Babe ;D ?ucking = Sucking=F*cking

The attachment name is selected from the following list:

  • 17Ag_double_suck__part[2].MPEG_.scr
  • April_FromTexas.MPEG_.scr
  • Video_briefcase_Group[13].MPEG_.scr
  • Julia_1997_F*cking.MPEG_.scr
  • juanita_in_the_kitchen.MPEG.scr
  • After_2AM_small_room[4].MPEG__.scr
  • Graham_Hilton_Sex[4].MPEG__.scr
  • WebCam_12girls_Ass.mpeg_.scr
  • Shakira_Anal_very_old.MPEG.scr
  • why_f*ck_anal_back.MPEG.scr
  • open_girl_21year.MPEG.scr
  • Ricky_Gay_ass.MPEG______________.scr
  • GrahamCluley_freakin_Ass_.MPEG__.scr
  • Sexual_Crimes.MPEG____.scr

The attachment can be also sent in a ZIP or TGZ archive. Please note that the above message, texts and attachment names were modified to change obscene words.

The second type of message sent by the Nyxem worm looks as follows:

The worm can use different colors and font types for the above message.

The subject this second message type is:

  • Fw: Virus Alert

The file attachment name is

  • SCAN.ZIP
  • SCAN.TGZ
  • FIX_BLACKWORM.COM.

The worm's main executable, FIX_BLACKWORM.COM, may be attached by itself to the email message, or may be embedded in the SCAN.ZIP archive or SCAN.TGZ file attachments.

The worm contains two DLL and one GIF files. One of the DLL files is an external SMTP engine that the worm uses to send the email messages to selected victims once they have been constructed; the other DLL is used to perform the worm's DoS attack.

The GIF file is added to the beginning of the constructed email message to make the recipient think it was scanned by Norton Anti-Virus:

Propagation (Local Network)

The worm can spread via local network to computers that have open shares with write access enabled. The worm enumerates network shares and copies itself there with one of its hardcoded names.

When that SCR file is run on a remote computer, it becomes infected. Additionally the worm's file can appear in a root folder of a local hard drive if it is shared.