Description:
Additional Aliases:
- Email-Worm.Win32.Nyxem.e
- Email-Worm.Win32.VB.bi
- I-Worm.VB.bi
- Kama Sutra
- Nyxem.E
- Small.KI@mm
- W32/Grew.A!wm
- W32/Kapser.A@mm
- W32/MyWife.d@MM!M24
- W32/Nyxem-D
- W32/Small.KI
- W32/Tearec.A.worm
- W32/Tearec.A.worm!CME-24
- Win32.Blackmal.e
- Win32.Nyxem.F@mm
- Win32.VB.bi
- Win32/Blackmal.F!Worm
- Win32/Blackmal.F
- Win32/VB.NEI worm
- Win32:VB-CD [Wrm]
- Worm.P2P.VB.CIL!CME-24
- Worm.VB-8
- Worm.VB.bi
- Worm/KillAV.GR
To get a one glance comprehensive view of the behavior of this worm, refer to the Behavior Diagram shown below.
Malware Overview
This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.
Click here to see the details of the email messages it sends out.
It gathers email addresses from files with certain extension names or strings. Any gathered email address becomes the next target for propagation.
It is also capable of using strings from the gathered email addresses or from the subject of email messages received by an affected user. It uses the same data mentioned above for the email message details. It includes the generated string to the subject line. The said routine gives the impression that the email message comes from a known and trusted source.
Moreover, this worm propagates through network shares. It does the said routine by searching the network for ADMIN$ and C$ shares, where it drops a copy of itself using the file name WINZIP_TMP.EXE.
It is also capable of dropping a copy of itself into all folders and drives on an affected system, including floppy drives. Thus, it is able to propagate via floppy disks as well.
Upon execution, it drops and opens a non-malicious .ZIP archive named SAMPLE.ZIP in the Windows system folder in an attempt to mask its malicious routines.
This worm deletes autostart registry entries, as well as associated files of several programs, most of which are related to security and antivirus applications. The said routines may cause referenced programs to malfunction, effectively making the affected system more vulnerable to further attacks.
It closes application windows with names containing certain strings.
In addition, it creates a scheduled task using Windows Task Scheduler on Windows NT, 2000, XP, and Server 2003 to execute itself on the 59th minute of the same hour after its copy is dropped.
This worm accesses the following Web site, which is unavailable as of this writing, to update an online counter of machines currently infected with this worm:
http://websta{BLOCKED}.net/cgi-bin/Count.cgi?df=765247
On the third day of every month, this worm overwrites all files with certain extension names 30 minutes after the affected system is restarted. It overwrites the said files with a certain string.
In addition, it is capable of disabling the mouse and keyboard of an affected system. The said routine renders the machine uncontrollable to the current user.
For additional information about this threat, see:
Solution
Technical Details
Description created: Jan. 16, 2006 6:23:21 AM GMT -0800
Search a new malware
Tell us how we did. Take our quick survey.
|
Save & Share
