Nymph is a mass-mailer with backdoor capabilities created by ASM/iKX group. It is one of the first worms that uses search engine of a webserver to find victim's email addresses. The worm is disguised as 'E-fortune cookie generator'. This worm is a variant of W32/Roach worm and it has a few serious bugs that don't allow it to work even for a short while on an infected system. The worm itself is a Windows PE EXE file about 29kb long. The code of the worm is encrypted with a simple XOR encryption loop.
The worm's file is a PE executable 76060 bytes long packed with UPX file compressor. It is written in Visual Basic and it uses p-code instead of native code in its file.
Nyxem worm was found on March 25th, 2004.
When the worm's file is run, it installs itself to system and shows a fake error messagebox:
The worm copies itself multiple times on a hard disk:
The worm also creates the following files:
In the above files, names represents the space character.
The worm uses an interesting technique to stay active. The worm maintains 2 processes in the computer memory. If one process iskilled, it is quickly restarted by the second process. The same technique was used by Sober worm in the past.
The worm periodically tries to delete the following files:
The worm can potentially damage the installations of several anti-virus programs, rendering them inoperable.
Additionally, the worm can perform a DoS attack on the New York Mercantile Exchange website (www.nymex.com).
During installation, the worm creates the following startup keys for 2 of the copied files, to ensure the files are automatically started each time the system starts:
where " is the worm's file name, for example REGEDIT.EXE or EXPLORER.EXE. T
The worm deletes startup Registry key belonging to various applications and malware, including the Bagle worm. The following key values are deleted:
Nyxem propagates in an infected file attachment accompanying email messages with varying subject lines, body texts and attachment names.
Before spreading, the worm collects email addresses from a computer. It scans files with .HTM and .DBX extensions, as well as the Yahoo! Messenger profile folder.
The worm can send 2 types of messages. Characteristics of Type 1 email messages are as follows:
The Subject line is selected from the following list:
The body text is selected from the following list:
The attachment name is selected from the following list:
The attachment can be also sent in a ZIP or TGZ archive. Please note that the above message, texts and attachment names were modified to change obscene words.
The second type of message sent by the Nyxem worm looks as follows:
The worm can use different colors and font types for the above message.
The subject this second message type is:
The file attachment name is
The worm's main executable, FIX_BLACKWORM.COM, may be attached by itself to the email message, or may be embedded in the SCAN.ZIP archive or SCAN.TGZ file attachments.
The worm contains two DLL and one GIF files. One of the DLL files is an external SMTP engine that the worm uses to send the email messages to selected victims once they have been constructed; the other DLL is used to perform the worm's DoS attack.
The GIF file is added to the beginning of the constructed email message to make the recipient think it was scanned by Norton Anti-Virus:
The worm can spread via local network to computers that have open shares with write access enabled. The worm enumerates network shares and copies itself there with one of its hardcoded names.
When that SCR file is run on a remote computer, it becomes infected. Additionally the worm's file can appear in a root folder of a local hard drive if it is shared.
Date Created: 2006-01-01 16:32:13.0
Date Last Modified: 2010-07-15 10:48:03.0