Threat Description



Aliases: W32.Blackmal.E@mm, Kama Sutra, Email-Worm.Win32.Nyxem.e, W32/MyWife.d@MM
Category: Malware
Type: Email-Worm
Platform: W32


A standalone malicious program which uses computer or network resources to make complete copies of itself.


<strong>Disinfection Utility</strong><br /><br />F-Secure's F-Force disinfection program can be used to clear a Nyxem.E infection. The tool can be downloaded from our web and ftp sites:<br /><br /> <ul> <li><a href=""></a></li> <li><a href=""></a></li> </ul> <br />The utility is distributed only in a ZIP archive that contains the following files: <br /> <br /> <ul> <li> f-force.exe - the main executable file</li> <li> eult.rtf - End User License Terms document </li> <li> readme.rtf - Readme file in RTF format </li> <li> readme.txt - Readme file in ASCII format </li> </ul> <strong><br /></strong>To unpack the archive please use the <a href="">WinZip</a> or similar archiver.<br /><br /><strong>IMPORTANT! </strong><strong>Please make sure that you read the End User License Terms document (Eult.rtf) and the Readme file (either Readme.txt or Readme.rtf) before using the F-Force utility!</strong><br /><br />The F-Force utility needs the archive with the latest updates in order to function properly. The archive's name is <strong>LATEST.ZIP</strong> and it should be downloaded and put into the same folder where the F-Force utility is located. This archive with the latest updates can be downloaded from these locations:<br /> <br /> <ul> <li><a href=""></a></li> <li><a href=""></a></li> </ul> <br />Please note that the F-Force utility can disinfect only certain malicious programs. Besides the utility does not scan inside archives. So after cleaning a computer with the F-Force utility it is recommended to scan all hard drives with F-Secure Anti-Virus and the latest updates to make sure that no infected files remain there.

Technical Details

Worm:W32/Nyxem.E is a worm that also tries to spread via network shares. It also tries to disable security-related and file sharing software as well as destroys files of certain types. <br /><br />Nyxem.E is similar to<br /><br />The worm has the following text strings in its body:<br /> <br /> <ul> <li> mysoulmustfly</li> <li> offlinehacker</li> <li> evilpain</li> <li> setthesun</li> </ul> <br />Nyxem.E is written in Visual Basic and is compiled as p-code. The size of the main executable is about 95 kilobytes. <br /><br /><br /><strong>Installation</strong><br /><br />When the worm's file is run, it first opens WinZip as a decoy. It may also block keyboard and mouse&nbsp; input to force the user to press CTRL + ALT + DEL and log off.<br /><br />During the installation phase the worm copies its file to several locations:<br /><br /> <ul> <li>%Windows%\rundll16.exe</li> <li>%System%\scanregw.exe</li> <li>%System%\Update.exe</li> <li>%System%\Winzip.exe</li> </ul> <br />where '%Windows%' indicates the main Windows folder (usually C:\WINDOWS\) and '%System%' is the Windows System folder.<br /><br /><br /><strong>Payload</strong><br /> <br /> The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives:<br /> <br /> <ul> <li>.doc</li> <li>.xls</li> <li>.mdb</li> <li>.mde</li> <li>.ppt</li> <li>.pps</li> <li>.zip</li> <li>.rar</li> <li>.pdf</li> <li>.psd</li> <li>.dmp</li> </ul> <br /> The files' contents are replaced with a text string &quot;DATA Error [47 0F 94 93 F4 K5]&quot;. <br /><br />The payload is activated 30 minutes after the worm's file UPDATE.EXE is loaded into memory (basically 30 minutes after logon). <br /><br />When the payload is activated, the worm enumerates all logical drives and damages files on them in a loop. It should damage files on all drives that have a letter. Files on local and removable drives (including USB memory) are also damaged. This should also apply to network drives, but during testing the worm failed to do affect them. <br /> <br /> The worm attempts to disable several security-related and file sharing programs. It deletes startup key values from the Registry if they contain any of the following:<br /> <br /> <ul> <li>NPROTECT</li> <li>ccApp</li> <li>ScriptBlocking</li> <li>MCUpdateExe</li> <li>VirusScan Online</li> <li>MCAgentExe</li> <li>VSOCheckTask</li> <li>McRegWiz</li> <li>CleanUp</li> <li>MPFExe</li> <li>MSKAGENTEXE</li> <li>MSKDetectorExe</li> <li>McVsRte</li> <li>PCClient.exe</li> <li>PCCIOMON.exe</li> <li>pccguide.exe</li> <li>Pop3trap.exe</li> <li>PccPfw</li> <li>PCCIOMON.exe</li> <li>tmproxy</li> <li>McAfeeVirusScanService</li> <li>NAV Agent</li> <li>PCCClient.exe</li> <li>SSDPSRV</li> <li>rtvscn95</li> <li>defwatch</li> <li>vptray</li> <li>ScanInicio</li> <li>APVXDWIN</li> <li>KAVPersonal50</li> <li>kaspersky</li> <li>TM Outbreak Agent</li> <li>AVG7_Run</li> <li>AVG_CC</li> <li>Avgserv9.exe</li> <li>AVGW</li> <li>AVG7_CC</li> <li>AVG7_EMC</li> <li>Vet Alert</li> <li>VetTray</li> <li>OfficeScanNT Monitor</li> <li>avast!</li> <li>DownloadAccelerator</li> <li>BearShare</li> </ul> <br /> The following startup Registry keys are affected:<br /> <br /> <ul> <li>[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]</li> <li>[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]</li> <li>[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]</li> </ul> <br />The worm deletes files from the following subfolders in the Program Files folder:<br /> <br /> <ul> <li>\DAP\*.dll</li> <li>\BearShare\*.dll</li> <li>\Symantec\LiveUpdate\*.*</li> <li>\Symantec\Common Files\Symantec Shared\*.*</li> <li>\Norton AntiVirus\*.exe</li> <li>\Alwil Software\Avast4\*.exe</li> <li>\\VSO\*.exe</li> <li>\\Agent\*.*</li> <li>\\shared\*.*</li> <li>\Trend Micro\PC-cillin 2002\*.exe</li> <li>\Trend Micro\PC-cillin 2003\*.exe</li> <li>\Trend Micro\Internet Security\*.exe</li> <li>\NavNT\*.exe</li> <li>\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl</li> <li>\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe</li> <li>\Grisoft\AVG7\*.dll</li> <li>\TREND MICRO\OfficeScan\*.dll</li> <li>\Trend Micro\OfficeScan Client\*.exe</li> <li>\LimeWire\LimeWire 4.2.6\LimeWire.jar</li> <li>\Morpheus\*.dll</li> </ul> <br /> In addition the worm reads location of certain programs from Windows Registry and deletes certain files in these locations. The affected software is:<br /> <br /> <ul> <li>VirusProtect6</li> <li>Norton AntiVirus</li> <li>Kaspersky Anti-Virus Personal</li> <li>Iface.exe</li> <li>Panda Antivirus 6.0 Platinum</li> </ul> <br />The worm also closes application windows that have the following strings in their captions:<br /> <br /> <ul> <li>SYMANTEC</li> <li>SCAN</li> <li>KASPERSKY</li> <li>VIRUS</li> <li>MCAFEE</li> <li>TREND MICRO</li> <li>NORTON</li> <li>REMOVAL</li> <li>FIX</li> </ul> <br /> For some reason the worm adds several license keys to the Registry. Most of them seem to belong to VB6 controls. Also the worm makes changes to the registry.<br /> <br /> The worm can modify Active Desktop files in order to launch another copy of itself named 'WinZip_Tmp.exe' using the ActiveX control.<br /> <br /><br /><strong>Infection Counter</strong><br /><br /> Whenever the worm infects a computer it opens a web browser on a certain webpage. This increments an <strong>infection counter</strong> on that webpage. <br /><br />We were contacted by the organization that runs the site with that counter. They informed us that the counter readings were not accurate. There were multiple hits from the same IPs to the counter. <br /><br />According to the latest information we received, the number of hits from unique IPs is over 300000 which is still quite big.<br /> <br /><br /><strong>Propagation (E-mail)</strong><br /><br />The worm collects e-mail addresses from files with following extensions:<br /><br /> <ul> <li>.HTM</li> <li>.DBX</li> <li>.EML</li> <li>.MSG</li> <li>.OFT</li> <li>.NWS</li> <li>.VCF</li> <li>.MBX</li> <li>.IMH</li> <li>.TXT</li> <li>.MSF</li> </ul> <br /><br />The worm searches for files with these extensions in Internet Explorer cache folders. E-mail addresses that have any of the following substrings are ignored by the worm:<br /><br /> <ul> <li>SYMANTEC</li> <li>MCAFEE</li> <li>VIRUS</li> <li>TREND</li> <li>PANDA</li> <li>SECUR</li> <li>SPAM</li> <li>NORTON</li> <li>ANTI</li> <li>CILLIN</li> <li>CA.COM</li> <li>KASPER</li> <li>TRUST</li> <li>AVG</li> <li>GROUPS.MSN</li> <li>NOMAIL.YAHOO.COM</li> <li>SCRIBE</li> <li>EEYE</li> <li>MICROSOFT</li> <li>@HOTMAIL</li> <li>@HOTPOP</li> <li>@YAHOOGROUPS</li> </ul> <br />The worm sends itself as attachment in the infected e-mail. The e-mail subject can be one the following:<br /><br /> <ul> <li>The Best Videoclip Ever</li> <li>School girl fantasies gone bad</li> <li>A Great Video</li> <li>Fuckin Kama Sutra pics</li> <li>Arab sex DSC-00465.jpg</li> <li>give me a kiss</li> <li>*Hot Movie*</li> <li>Fw: Funny :)</li> <li>Fwd: Photo</li> <li>Fwd: image.jpg</li> <li>Fw: Sexy</li> <li>Re:</li> <li>Fw:</li> <li>Fw: Picturs</li> <li>Fw: DSC-00465.jpg</li> <li>Word file</li> <li>eBook.pdf</li> <li>the file</li> <li>Part 1 of 6 Video clipe</li> <li>You Must View This Videoclip!</li> <li>Miss Lebanon 2006</li> <li>Re: Sex Video</li> <li>My photos</li> </ul> <br />The message body may be one of the following:<br /><br /> <ul> <li>Note: forwarded message attached.</li> <li>Hot XXX Yahoo Groups</li> <li>F*ckin Kama Sutra pics</li> <li>ready to be F*CKED ;)</li> <li>forwarded message attached.</li> <li>VIDEOS! FREE! (US$ 0,00)</li> <li>Please see the file.</li> <li>&gt;&gt; forwarded message<br />&nbsp;&nbsp;&nbsp; ----- forwarded message -----<br />&nbsp;&nbsp; i just any one see my photos. It's Free :)<br />&nbsp;&nbsp; how are you?<br />&nbsp;&nbsp; i send the details.<br />&nbsp;&nbsp; OK ?</li> </ul> <br />The worm usually attached itself to e-mail messages as an executable file. It uses one the following names in attachment:<br /><br /> <ul> <li>007.pif</li> <li>School.pif</li> <li>04.pif</li> <li>photo.pif</li> <li>DSC-00465.Pif</li> <li>image04.pif</li> <li>677.pif</li> <li>New_Document_file.pif</li> <li>eBook.PIF</li> <li>document.pif</li> <li>DSC-00465.pIf</li> </ul> <br />Sometimes, the worm MIME-encodes the file. In these cases, the attachment name can be<br />one of the following:<br /><br /> <ul> <li>Video_part.mim</li> <li>Attachments00.HQX</li> <li>Attachments001.BHX</li> <li>Attachments[001].B64</li> <li>3.92315089702606E02.UUE</li> <li>SeX.mim</li> <li>Sex.mim</li> <li>Original Message.B64</li> <li>WinZip.BHX</li> <li>eBook.Uu</li> <li>Word_Document.hqx</li> <li>Word_Document.uu</li> </ul> <br />The filename inside MIME-encoding is one of the following:<br /><br /> <ul> <li>New Video,zip .sCr</li> <li>Attachments,zip .SCR</li> <li>Atta[001],zip .SCR</li> <li>Clipe,zip .sCr</li> <li>WinZip,zip .scR</li> <li>Adults_9,zip .sCR</li> <li>Photos,zip .sCR</li> <li>Attachments[001],B64 .sCr</li> <li>392315089702606E-02,UUE .scR</li> <li>SeX,zip .scR</li> <li> .sCR</li> <li> .sCR</li> <li> .sCR</li> </ul> <br /><br /><br /><strong>Propagation (Network Shares)</strong><br /><br />The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the following registry keys:<br /><br /> <ul> <li>[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders]<br />&nbsp;&nbsp;&nbsp; &quot;Recent&quot;<br />&nbsp;&nbsp;&nbsp; &quot;Personal&quot;</li> </ul> <br />The above registry key values point to user's folders where personal documents and recently opened files are stored. <br /><br />If a matching folder is found, the worm opens it, enumerates files there, &quot;borrows&quot; one randomly selected file name and adds an EXE extension to it. Then the worm copies itself to network shares using the newly created name. <br /><br />If the worm does not find any files in those folders, it copies itself to network shares with the following names:<br /><br /> <ul> <li>New WinZip File.exe</li> <li>Zipped Files.exe</li> <li>movies.exe</li> </ul> <br />The other network spreading routine searches for specific network shares and tries to copy itself using one of the following filenames:<br /><br /> <ul> <li>\Admin$\WINZIP_TMP.exe</li> <li>\c$\WINZIP_TMP.exe</li> <li>\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe</li> </ul> <br />At the same time the worm deletes the following file:<br /><br /> <ul> <li>\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk</li> </ul> <br />Before spreading the worm checks whether a remote computer has any of the following folders and if it does, the worm tries to delete all files from that folder:<br /><br /> <ul> <li>\C$\Program Files\Norton AntiVirus</li> <li>\C$\Program Files\Common Files\symantec shared</li> <li>\C$\Program Files\Symantec\LiveUpdate</li> <li>\C$\Program Files\\VSO</li> <li>\C$\Program Files\\Agent</li> <li>\C$\Program Files\\shared</li> <li>\C$\Program Files\Trend Micro\PC-cillin 2002</li> <li>\C$\Program Files\Trend Micro\PC-cillin 2003</li> <li>\C$\Program Files\Trend Micro\Internet Security</li> <li>\C$\Program Files\NavNT</li> <li>\C$\Program Files\Panda Software\Panda Antivirus Platinum</li> <li>\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal</li> <li>\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro</li> <li>\C$\Program Files\Panda Software\Panda Antivirus 6.0</li> <li>\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus</li> </ul> <br />The worm also creates a scheduled task to run the worm's files on remote computer with system priviledges at the 59th minute of the current hour.<br /><br /><span class="r"></span> <h4>Detection</h4> <div>F-Secure Anti-Virus detects this malware with the following updates:<br /><br />[FSAV_Database_Version]<br />Version = 2006-01-20_01.</div>

Description Created: 2006-01-20 12:08:48.0

Description Last Modified: 2010-07-23 09:01:36.0


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now