|
Beware!: Kama Sutra/Blackworm Worm Timebomb |
|
|
*.DOC
*.XLS
*.MDE
*.MDB
*.PPT
*.PPS
*.RAR
*.PDF
*.PSD
*.DMP
*.ZIP
Feb 3rd is just the beginning, because its scheduled to activate on the 3rd of every month. Once someone is infected, the worm visits a webpage at rcn.net to increment a counter. This counter theoretically displays the number of infections. As of the article, that counter states:
Other names exist for this worm in addition to Blackworm and Kama Sutra (these names are given by the vendors): Blackmal, Nyxem, MyWife, Tearec. For an up-to-date listing of names, check CME-24. Currently the worm is listed there as:
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A
Update your antivirus!
Microsoft has a page for manual removal of this worm. As a side note, this worm also spreads via network shares!
The following operating systems are affected:
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
This worm will removes many security and file-sharing files. Here is just a sample:
The worm deletes a large number of security and file-sharing related files:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton Antivirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
%ProgramFiles%\Morpheus\*.dll
The following active windows will be closed if you are infected:
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
What to do if you're infected? The following resources are recommended:
http://safety.live.com/
http://beta.windowsonecare.com/
W32.Blackmal@mm Removal Tool (read before using tool), Download Removal Tool
BleedingSnort has filters you can use for detection (and for checking out if someone is infected on your network):
# Nyxem-D
#Submitted 2006-01-17 by Mark Tombaugh the worm man
#alert tcp $EXTERNAL_NET any -> $HOME_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP inbound"; flow:established,to_server; content:"YmVnaW4gNjY0I"; content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; within:31; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; sid: 2002779; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET 25 (msg:"BLEEDING-EDGE VIRUS W32.Nyxem-D SMTP outbound"; flow:established,to_server; content:"YmVnaW4gNjY0I"; content:"ICAgICAgICAgICAgICAgICAgICAgICA"; distance:31; within:31; classtype:trojan-activity; reference:url,www.sophos.com/virusinfo/analyses/w32nyxemd.html; sid: 2002778; rev:1;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm/Nyxem infection)"; content:"GET /cgi-bin/Count.cgi?"; depth:23; content:"df="; within:20; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:2002788; rev:2;)
alert tcp $HOME_NET any -> $EXTERNAL_NET $HTTP_PORTS (msg:"BLEEDING-EDGE VIRUS Agentless HTTP request to www.microsoft.com (possible BlackWorm/Nyxem infection)"; dsize:92; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";classtype:misc-activity; sid:2002789; rev:1;)
Related: sunbelt, lurhq, securiteam, f-secure, symantec, isc
By the end of this article, you can see how far the counter has increased:
|
|
|
 |
| "Beware!: Kama Sutra/Blackworm Worm Timebomb" | Login/Create an Account | 0 comments |
|
| | The comments are owned by the poster. We aren't responsible for their content. |
|
|
|
No Comments Allowed for Anonymous, please register |
|
| |
|
Login |
|
 |
|
|
|
|
· New User? · Click here to create a registered account.
|
|
|
Article Rating |
|
|
|
|
|
|
Average Score: 4.66
Votes: 12
|
|
|
