Threat Description

Email-Worm:W32/Nyxem

Details

Aliases: I-Worm.Nyxem, Hunchi, Mywife, Blackmal, Blackworm, Blueworm
Category: Malware
Type: Email-Worm
Platform: W32

Summary


This type of worm is embedded in an e-mail attachment, and spreads using the infected computer's e-mailing networks.

Removal


Allow F-Secure Anti-Virus to disinfect the relevant files.<br style="clear: both;" /> <br style="clear: both;" /> For more general information on disinfection, please see <a href="http://www.f-secure.com/en_EMEA/security/virus-removal/removal-instructions/">Removal Instructions</a>.

Technical Details


Email-Worm:W32/Nyxem propagates through infectious e-mail file attachments. It is also capable of spreading over a local network. Once installed on a computer, the worm can kill the processes of several applications, as well as preventing other malware from running. Myxem can also perform a Denial of Service (DoS) attack. <br /><br />The worm's file is a PE executable 76060 bytes long packed with UPX file compressor. It is written in Visual Basic and it uses p-code instead of native code in its file. <br /> <br />Nyxem worm was found on March 25th, 2004.<br /> <br /><br /><strong>Installation</strong><br /> <br />When the worm's file is run, it installs itself to system and shows a fake error messagebox: <br /> <br /><img src="../UserFiles/Image/v-pics/nyxem1.jpg" alt="" /> <br /> <br />The worm copies itself multiple times on a hard disk:<br /><br /> <ul> <li>Creates multiple ZIP archives in the Windows System folder, using .ZIP and TGZ extensions and differing names. Each archive containing the worm's file. </li> <li>Copies of its executable files with different names (usually borrowed from other applications) to different folders on the local hard drive, including the \TEMPORARY subfolder in Windows folder (if necessary, the worm creates this folder)</li> </ul> <br />The worm also creates the following files:<br /><br /> <ul> <li>BLACKWORM.EXE and FIX_BLACKWORM.COM files in the Windows System folder <br /></li> <li>A bunch of files with the extension .SCR, also in the Windows System folder</li> <li>WIN32.EXE file in Windows folder</li> </ul> <br />&nbsp;In the above files, names represents the space character.<br /> <br />The worm uses an interesting technique to stay active. The worm maintains 2 processes in the computer memory. If one process iskilled, it is quickly restarted by the second process. The same technique was used by Sober worm in the past.<br /><br /><br /><strong>Payload </strong><br /> <br />The worm periodically tries to delete the following files: <br /> <br /> <font face="Courier New"> <ul> <li>C:\Program Files\Norton AntiVirus\*.exe</li> <li>C:\Program Files\McAfee\McAfee VirusScan\Vso\*.*</li> <li>C:\Program Files\Trend Micro\PC-cillin 2002\*.exe</li> <li>C:\Program Files\Trend Micro\PC-cillin 2003\*.exe</li> <li>C:\Program Files\Trend Micro\Internet Security\*.exe</li> </ul> </font> <br />The worm can potentially damage the installations of several anti-virus programs, rendering them inoperable. <br /> <br />Additionally, the worm can perform a&nbsp; DoS attack on the New York Mercantile Exchange website (www.nymex.com). <br /> <br /><strong><br />Registry<br /><br /></strong>During installation, the worm creates the following startup keys for 2 of the copied files, to ensure the files are automatically started each time the system starts: <br /> <br /> <font face="Courier New"> <ul> <li>[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run]<br /> &nbsp; &nbsp; @=&quot;C:\WINDOWS\SYSTEM32\&quot;<br /> &nbsp; &nbsp; &quot;&quot;=&quot;C:\WINDOWS\TEMPORARY\&quot;</li> <li>[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]<br /> &nbsp; &nbsp; @=&quot;C:\WINDOWS\TEMPORARY\&quot;<br /> &nbsp; &nbsp; &quot;&quot;=&quot;C:\WINDOWS\SYSTEM32\&quot;</li> </ul> </font> <br /> where &quot; is the worm's file name, for example REGEDIT.EXE or EXPLORER.EXE. T <br /><br />The worm deletes startup Registry key belonging to various applications and malware, including the Bagle worm. The following key values are deleted: <br /> <br /> <font face="Courier New"> <ul> <li>NPROTECT</li> <li>ccApp</li> <li>ScriptBlocking</li> <li>MCUpdateExe</li> <li>VirusScan Online</li> <li>MCAgentExe</li> <li>VSOCheckTask</li> <li>McRegWiz</li> <li>McVsRte</li> <li>PCClient.exe</li> <li>PCCIOMON.exe</li> <li>pccguide.exe</li> <li>PccPfw</li> <li>PCCIOMON.exe</li> <li>tmproxy</li> <li>McAfeeVirusScanService</li> <li>NAV Agent</li> <li>PCCClient.exe</li> <li>SSDPSRV</li> <li>Taskmon</li> <li>KasperskyAv</li> <li>system.</li> <li>msgsvr32</li> <li>Windows Services Host</li> <li>Explorer</li> <li>Sentry</li> <li>ssate.exe</li> <li>winupd.exe</li> <li>au.exe</li> <li>OLE</li> </ul> </font> <br /><br /><strong>Propagation (E-mail)</strong><br /><br />Nyxem propagates in an infected file attachment accompanying e-mail messages with varying subject lines, body texts and attachment names.<br /><br />Before spreading, the worm collects e-mail addresses from a computer. It scans files with .HTM and .DBX extensions, as well as the&nbsp; Yahoo! Messenger profile folder. <br /> <br />The worm can send 2 types of messages. Characteristics of Type 1 e-mail messages are as follows:<br /><br />The Subject line is selected from the following list: <br /> <br /> <font face="Courier New"> <ul> <li>FW: (-Sucking-)</li> <li>FW: File - WebCam.mpeg</li> <li>FW: **Hot Movie**</li> <li>Re: Why? Form Back.mpg</li> <li>FW:RE: Least *21* Years</li> <li>Re: Double suck (movie</li> <li>FW:Re:Hot Erotic</li> <li>very hot XXX</li> <li>Video Clip</li> <li>RE: FW: Women Mpeg</li> <li>Asses Mpeg's</li> <li>FW: Lesbian &amp; gays Mpeg</li> <li>Fw: My Funny Ass</li> <li>&lt;&lt;~SEX~&gt;&gt; TeenRapers.mov</li> </ul> </font> <br /> The body text is selected from the following list: <br /> <br /> <font face="Courier New"> <ul> <li>Babe sucking black Dog MPEG</li> <li>funny movie</li> <li>hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd ,<br />&nbsp;&nbsp;&nbsp; big ole booty, jus lovin life, until i get my pics posted in here you can<br /><font face="Courier New">&nbsp;&nbsp;&nbsp; </font>either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, <br /><font face="Courier New">&nbsp;&nbsp;&nbsp; </font>either way works for me..i hope to become very active in this group, i like<br /><font face="Courier New">&nbsp;&nbsp;&nbsp; </font>to get to know people, like to get on cam once in a while, jus to chill,<br /><font face="Courier New">&nbsp;&nbsp;&nbsp; </font>when they aint none home..thats why its once in a while yaknow..anyways<br /><font face="Courier New">&nbsp; &nbsp; </font>jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye&nbsp;</li> <li>Dozens of Free Video Clips to download.Many Niches. Updated regularly and more <br /><font face="Courier New">&nbsp; &nbsp; </font>added daily.Taken From Vivi's Lovely Briefcase. <br /></li> <li>very good movie &gt;&gt;&gt; Video's Media Player. SEX SEX * Sluts Tits Video <br /><font face="Courier New">&nbsp; &nbsp; </font>Mpeg's Mpeg Video Clips</li> <li>Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is<br /><font face="Courier New">&nbsp; &nbsp; </font>a real swingers group!! I'm attatching a Video Clip of my wife if interested<br /><font face="Courier New">&nbsp; &nbsp; </font>in checking it out!</li> <li>-==This server does not support Transfer Big Movies==-<br /><font face="Courier New">&nbsp; &nbsp; </font>wo Hotttt gurls sucking a hansum cock Softly</li> <li>Watch the Paris Hilton Sex Tape for Free! <br /><font face="Courier New">&nbsp; &nbsp; </font>Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips <br /></li> <li>Here is another Vclip of my daily group :|&nbsp;</li> <li>All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes&nbsp;</li> <li>u Love asses? Here is a great ass open wide waitin for ur lil Cock <br /><font face="Courier New">&nbsp; &nbsp; </font>Bye <br /><font face="Courier New">&nbsp; &nbsp; </font>movie attached open by media Player 7.1</li> <li>when i saw my ass i slept 3 hours why?? check my ass sorry my movie<br /><font face="Courier New">&nbsp;&nbsp;&nbsp; </font>LOOOOOOOOL joke (^!^)<br /><font face="Courier New">&nbsp; &nbsp; </font>Bye</li> <li>Check This ?ucking Babe ;D <br /><font face="Courier New">&nbsp; &nbsp; </font>?ucking = Sucking=F*cking <br /></li> </ul> </font> <br />The attachment name is selected from the following list: <br /> <br /> <font face="Courier New"> <ul> <li>17Ag_double_suck__part[2].MPEG_.scr</li> <li>April_FromTexas.MPEG_.scr</li> <li>Video_briefcase_Group[13].MPEG_.scr</li> <li>Julia_1997_F*cking.MPEG_.scr</li> <li>juanita_in_the_kitchen.MPEG.scr</li> <li>After_2AM_small_room[4].MPEG__.scr</li> <li>Graham_Hilton_Sex[4].MPEG__.scr</li> <li>WebCam_12girls_Ass.mpeg_.scr</li> <li>Shakira_Anal_very_old.MPEG.scr</li> <li>why_f*ck_anal_back.MPEG.scr</li> <li>open_girl_21year.MPEG.scr</li> <li>Ricky_Gay_ass.MPEG______________.scr</li> <li>GrahamCluley_freakin_Ass_.MPEG__.scr</li> <li>Sexual_Crimes.MPEG____.scr</li> </ul> </font> <br />The attachment can be also sent in a ZIP or TGZ archive. Please note that the above message, texts and attachment names were modified to change obscene words. <br /> <br />The second type of message sent by the Nyxem worm looks as follows: <br /> <br /><img src="../UserFiles/Image/v-pics/nyxem3.jpg" alt="" /> <br /> <br />The worm can use different colors and font types for the above message. <br /> <br />The subject this second message type is: <br /> <br /> <font face="Courier New"> <ul> <li>Fw: Virus Alert</li> </ul> </font> <br />The file attachment name is <br /><br /> <font face="Courier New"> <ul> <li>SCAN.ZIP</li> <li>SCAN.TGZ</li> <li>FIX_BLACKWORM.COM. <br /></li> </ul> </font> <br /> The worm's main executable, FIX_BLACKWORM.COM, may be attached by itself to the e-mail message, or may be embedded in the SCAN.ZIP archive or SCAN.TGZ file attachments. <br /> <br />The worm contains two DLL and one GIF files. One of the DLL files is an external SMTP engine that the worm uses to send the e-mail messages to selected victims once they have been constructed; the other DLL is used to perform the worm's DoS attack.<br /> <br /> The GIF file is added to the beginning of the constructed e-mail message to make the recipient think it was scanned by Norton Anti-Virus: <br /> <br /> <img src="../UserFiles/Image/v-pics/nyxem2.gif" alt="" /> <br /><br /><br /><strong>Propagation (Local Network)</strong><br /> <br />The worm can spread via local network to computers that have open shares with write access enabled. The worm enumerates network shares and copies itself there with one of its hardcoded names. <br /><br />When that SCR file is run on a remote computer, it becomes infected. Additionally the worm's file can appear in a root folder of a local hard drive if it is shared. <strong><br /><br /><br /></strong>



Description Created: 2006-01-01 16:32:13.0

Description Last Modified: 2010-07-15 10:48:03.0


SUBMIT A SAMPLE

Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now