Nyxem.E Bad Trojan, Bad bad bad!

[THEKATZ*{MEOW}*]

How it all works and is installed on your system

Installation to system

Nyxem.E is written in Visual Basic and is compiled as p-code. The size of the main executable is about 95 kilobytes. When the worm's file is run, it first opens WinZip as a decoy. On our test systems it also blocked keyboard and mouse so the only option was to press CTRL + ALT + DEL and to log off.

During the installation phase the worm copies its file to several locations:

%Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe

where '%Windows%' presents the main Windows folder. On Windows systems, it is usually C:\WINDOWS\ folder. The '%System%' represents Windows System folder.

The worm creates the following Registry key value for its file to activate itself on every system startup:

[HKLM\Software\Micro Soft\Windows\CurrentVersion\Run]
"ScanRegistry" = "%System%\scanregw.exe /scan"


Spreading in e-mails

The worm collects e-mail addresses from files with following extensions:

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF

The worm searches for files with these extensions in Internet Explorer cache folders. E-mail addresses that have any of the following substrings are ignored by the worm:

SYMANTEC
MCAFEE
VIRUS
TREND
PANDA
SECUR
SPAM
NORTON
ANTI
CILLIN
CA.COM
KASPER
TRUST
AVG
GROUPS.MSN
NOMAIL.YAHOO.COM
SCRIBE
EEYE
Micro Soft
@HOTMAIL
@HOTPOP
@YAHOOGROUPS

The worm sends itself as attachment in the infected e-mail. The e-mail subject can be one the following:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage. We were contacted by the organization that runs the site with that counter. They informed us that the counter readings were not accurate. There were multiple hits from the same IPs to the counter. According to the information we received, the number of hits from unique IPs is over 262000 which is still quite big.

[THEKATZ*{MEOW}*]

Apart from the usual removal of any virus, please be aware that although System Restore is a great Windows feature, it also locks in things you may not want such as a virus of this caliber.

Please read the following. Remember, to only do this as a temperary measure and to turn Windows Restore back on after a clean sweep with your AV program.

Read Here

Note - Once you shut down Windows Restore, you loose all previous restore points.

[BigBruzer*{MEOW}*]

Thank you Tk, my fingers are crossed.

[INSTINCT]

heres a good little tool to have on hand....check back often as it will update.
and its free


http://vil.nai.com/vil/stinger/

[Felix*{MEOW}*]

This was from my ISP

Dear Valued Customer,


Dear Valued Customer,


We have recently learned about a new virus, called BlACKWORM that is scheduled to be released early tomorrow. This virus is also known by the following names: Nyxem, Kapser.A, and Kama Sutra. Following is some additional information about this particular virus:

Virus Description:

Blackworm is a mass-mailing virus that attempts to spread via email. Infected computers will send out copies of the virus as attachments via email-addresses that are collected from the computer. This virus has its own email engine and it can send out emails even if you are not running an email program.

This isn't a one time deal eather.

If the virus is executed on the 3rd day of every month, it will destroy all files with the following extensions by overwriting the file: *.doc , *.xls , *.mdb , *.mde , *.ppt , *.pps , *.zip , *.rar , *.pdf , *.psd, *.dmp. IMPORTANT NOTE: the potential for this virus to destroy your user data as outlined above is what makes it of particular concern.

Here's a link to a removal tool: Scroll to the bottom of the page and get it there.
It would be a good idea to Book mark the page for further updates on the virus
And variants of it. It would be a good idea to book mark Stinks link as well.


http://www.symantec.com/avcenter/global/index.html

[THEKATZ*{MEOW}*]

Notice it states that it over writes.  That is a sure sign that the data will be totally un-recoverable. 

I will say it again, if you are not running a full time behind the scenes Anti Virus program that will update with current dat files, you may wish you had.   

[THEKATZ*{MEOW}*]

Notice it states that it over writes.  That is a sure sign that the data will be totally un-recoverable. 

I will say it again, if you are not running a full time behind the scenes Anti Virus program that will update with current dat files, you may wish you had.   

heres a good little tool to have on hand....check back often as it will update.
and its free


http://vil.nai.com/vil/stinger/

Thanks Instinct