Welcome, Guest. Please login or register.

Login with username, password and session length




October 04, 2024, 06:21:38 AM
Funfani.com - Spreading Fun All Over!GENERALLY GENERALNews / Announcements / Requests / SuggestionsSite AnnouncementsPlease Read Very Important - 3 February
Pages: [1]   Go Down
Print
Author Topic: Please Read Very Important - 3 February  (Read 3051 times)
0 Members and 1 Guest are viewing this topic.
Vatsal
Administrator
FF Trailblazer
*****

Karma: 109
Offline Offline

Gender: Male
Posts: 2218



WWW
« on: February 06, 2006, 06:37:53 AM »

Nyxem-E is also known as the Blackmal, MyWife, Grew and CME-24 virus.

PC users have been urged to scan their computers before 3 February to avoid falling victim to a destructive virus.
On that date the Nyxem virus is set to delete Word, Powerpoint, Excel and Acrobat files on infected machines.
Nyxem is thought to have caught out many people by promising porn to those who open the attachments on e-mail messages carrying the virus.
Anti-virus companies have stopped lots of copies, suggesting it had infected a large number of computers.
 
Porn peril
 
The Nyxem-E Windows virus first emerged on 16 January and has been steadily racking up victims ever since. Nyxem-E is also known as the Blackmal, MyWife, Kama Sutra, Grew and CME-24 virus.
 
Helpfully, the virus reports every fresh infection back to an associated website which displays the total via a counter. Late last week the counter was reporting millions of infections, but detective work by security firm Lurhq found that many of these reports were bogus.
             
SAMPLE SUBJECT LINES
Fw: Funny Smiley
Fw: Picturs
*Hot Movie*
Fw: SeX.mpg
Re: Sex Video
Miss Lebanon 2006
School girl fantasies gone bad
However, Lurhq reported that more than 300,000 machines are known to have fallen victim to Nyxem-E.
Like many recent viruses, Nyxem tries to spread by making people open attachments on e-mail messages that are infected with the destructive code.
The subject lines and body text of the various messages Nyxem uses vary, but many falsely claim that pornographic videos and pictures are in the attachments.
On infected machines the virus raids address books to find e-mail addresses to send itself to.
The virus also tries to spread by searching for machines on the same local network as any computer it has compromised.
Unlike many recent viruses Nyxem is set to overwrite 11 different types of file on infected machines on the third of every month. The list of files to be over-written includes the most widely used sorts of formats.

NYXEM FILE TARGETS
DMP - Oracle files
DOC - Word document
MDB - Microsoft Access
MDE - Microsoft Access/Office
PDF - Adobe Acrobat
PPS - PowerPoint slideshow
PPT - PowerPoint
PSD - Photoshop
RAR - Compressed archive
XLS - Excel spreadsheet
ZIP - Compressed file
Separately, the virus also tries to disable anti-virus software to stop it updating and can also disable the mouse and keyboard on infected machines.
 
Users were being urged to update anti-virus software and to scan their system to ensure they had not been caught out. Many anti-virus firms have also produced tools that help clean up infected systems.
 
Jason Steer, technical consultant at mail filtering firm Ironport, said Nyxem was a throwback to the types of viruses that used to circulate in the early days of computer networks.
 
"If you go back 10-15 years ago viruses tended to quite malicious," he said. "They were going to re-format your hard disk, delete files and so on."
 
Pete Simpson, threat lab manager at security firm Clearswift, said: "It's a bit puzzling because script kiddies have largely left the scene.
 
"It shows a certain intelligence in its design but what's the motive?" he asked, "Pure vandalism does not ring true these days."  

Both Mr Steer and Mr Simpson feared that home users would be hardest hit by Nyxem on 3 February.
Most businesses, they said, now have regularly updated anti-virus systems in place and disinfect e-mail traffic before it reaches users' desktops.
 
By contrast many home users did not regularly patch Windows, update anti-virus or perform full system scans to ensure their machine stays clean. Users were also encouraged to make regular back-ups of any files they want to preserve.

< style="font-weight: bold;">Technical Analysis  

Win32/Mywife.E@mm spreads as an attachment to mails or over network shares. It can create numerous copies of itself with names such as "WinZip,zip<multiple spaces>.scr" and "Photos,zip<multiple spaces>.exe". The worm disguises the copies in two ways to make it appear that they are not executable files. First, the icon for the file resembles the WinZip icon. Second, the file can have a double extension. The first extension may indicate a multimedia file, such as .mp3 or .wav. The second extension indicates an executable file, but there may be so many spaces between the two extensions that the second extension is not readily visible in a file list. The mail body mentions pictures from the Kama Sutra.

The worm adds data to the registry so that the worm runs each time Windows starts. This is done by adding the value "ScanRegistry scanregw.exe /scan" under the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The worm continually refreshes the registry with this data in case the data is changed.
The worm modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. It deletes  product keys from the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
The list of product keys is:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe (it is in the list twice)
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
 
The worm deletes a large number of security and file-sharing related files:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton Antivirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
%ProgramFiles%\Morpheus\*.dll
 
The worm reads folder locations and delete files with the following registry values / file patterns:
HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion\Home Directory - (*.exe)
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV - (*.exe)
HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\Folder - (*.exe, *.*)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe\Path - (*.ppl, *.exe)
HKEY_LOCAL_MACHINE\Sofware\KasperskyLab\Components\101\Folder - (*.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum\InstallLocation - (*.exe)
 
Win32/Mywife.E can spread by copying itself to writeable network shares. It also spreads by sending a copy or archive of itself as an attachment to e-mail addresses found on the infected computer. The attachments are encoded using MIME, UUENCODE or BASE64 encoding, and have names such as Attachments00.HQX, Video_part.mim, SeX.mim, OriginalMessage.B64, etc.  The encoded files within these attachments have names such as SeX,zip<spaces>.scR, Atta[001],zip]<spaces>.SCR, New Video,zip<spaces>.sCr, etc.
 
The worm closes any active window (in the foreground) whose title contains any of the following strings (case insensitive):
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
 
On the third day of every month the worm resets the content of files with specific extension. It searches for files on the hard disk with the following extensions and replaces their contents with "DATA Error [47 0F 94 93 F4 K5]":
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp
 
The first time the worm will corrupt the content of those files is on February 3rd, 2006.
The worm locates computers on the network using the network API calls WNetOpenEnum and WNetEnumResource.
It attempts to connect to each machine that it finds as the user "Administrator" with the password "" (blank).  It does this via command line, executing the command 'Net Use \\<machinename> /User:Administrator ""'
It then uses the administrative C$ share to check for the existence of the following folders on the machine, and attempts to delete any files within those folders.  Note that this will succeed if either the machine has a blank administrator password, or if the user's current credentials grant them access to the remote machine:
  < style="font-weight: bold;">
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
 
the worm copies itself to the following locations on the remote machine:
\Admin$\WINZIP-TMP.exe (this is an administrative share of the Windows folder)
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\Winzip Quick Pick.exe
 
The worm uses the 'at' command to schedule execution of both \admin$\WINZIP_TMP.exe and \c$\WINZIP_TMP.exe on the remote machine at <currenthour>:59 (i.e. if it is currently 3:30am, the worm will execute at 3:59am).

How to Prevent Infection
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unknown attachments.
Use strong passwords.
Remove unneeded network shares.
 
You can also use the Windows Safety Live Center to clean this threat: http://safety.live.com. Occasionally, the worm may close the windows that are launched by this site, if they are in the foreground. If that happens, try using this site again.
 
The February release of the Microsoft Windows Malicious Software Removal Tool will detect and clean this threat as well.

Report to moderator   Logged
Pages: [1]   Go Up
Print

Jump to: