Nymph is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses search engine of a webserver to find victim's email addresses. The worm is disguised as 'E-fortune cookie generator'. This worm is a variant of W32/Roach worm and it has a few serious bugs that don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.
Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.
A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:
Check for the latest database updates
First check if your F-Secure security program is using the latest detection database updates, then try scanning the file again.
Submit a sample
After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.
NOTE If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.
Exclude a file from further scanning
If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.
Note You need administrative rights to change the settings.
The worm's file is a PE executable 76060 bytes long packed with UPX file compressor. It is written in Visual Basic and it uses p-code instead of native code in its file.
Nyxem worm was found on March 25th, 2004.
When the worm's file is run, it installs itself to system and shows a fake error messagebox:
The worm copies itself multiple times on a hard disk:
The worm also creates the following files:
In the above files, names represents the space character.
The worm uses an interesting technique to stay active. The worm maintains 2 processes in the computer memory. If one process iskilled, it is quickly restarted by the second process. The same technique was used by Sober worm in the past.
The worm periodically tries to delete the following files:
The worm can potentially damage the installations of several anti-virus programs, rendering them inoperable.
Additionally, the worm can perform a DoS attack on the New York Mercantile Exchange website (www.nymex.com).
During installation, the worm creates the following startup keys for 2 of the copied files, to ensure the files are automatically started each time the system starts:
where " is the worm's file name, for example REGEDIT.EXE or EXPLORER.EXE. T
The worm deletes startup Registry key belonging to various applications and malware, including the Bagle worm. The following key values are deleted:
Nyxem propagates in an infected file attachment accompanying email messages with varying subject lines, body texts and attachment names.
Before spreading, the worm collects email addresses from a computer. It scans files with .HTM and .DBX extensions, as well as the Yahoo! Messenger profile folder.
The worm can send 2 types of messages. Characteristics of Type 1 email messages are as follows:
The Subject line is selected from the following list:
The body text is selected from the following list:
The attachment name is selected from the following list:
The attachment can be also sent in a ZIP or TGZ archive. Please note that the above message, texts and attachment names were modified to change obscene words.
The second type of message sent by the Nyxem worm looks as follows:
The worm can use different colors and font types for the above message.
The subject this second message type is:
The file attachment name is
The worm's main executable, FIX_BLACKWORM.COM, may be attached by itself to the email message, or may be embedded in the SCAN.ZIP archive or SCAN.TGZ file attachments.
The worm contains two DLL and one GIF files. One of the DLL files is an external SMTP engine that the worm uses to send the email messages to selected victims once they have been constructed; the other DLL is used to perform the worm's DoS attack.
The GIF file is added to the beginning of the constructed email message to make the recipient think it was scanned by Norton Anti-Virus:
The worm can spread via local network to computers that have open shares with write access enabled. The worm enumerates network shares and copies itself there with one of its hardcoded names.
When that SCR file is run on a remote computer, it becomes infected. Additionally the worm's file can appear in a root folder of a local hard drive if it is shared.