MyCERT Special Alert: MA-101.012006: MyCERT Special Alert - W32.Nyxem.D Worm


Original Issue Date: 24th January 2006

Introduction

MyCERT received information from various reliable sources regarding the circulation of a particular worm and its variant, known as the W32.Nyxem.D worm (Sophos Anti Virus). W32.Nyxem.D is a mass-mailing worm that attempts to spread through network shares and lower security settings. Most anti-virus vendors had rated the W32.Nyxem.D worm as MEDIUM in risk assessment and MEDIUM in potential damage associated to the worm. The W32.Nyxem.D variant was first discovered on 17th January 2006 (UTC Time).

Based on number of reports received, currently no strong evidence indicating widespread infection relating to W32.Nyxem.D worm and its variants in our constituency, but MyCERT advises users and organizations to patch vulnerable systems and take the prevention actions as provided below to prevent against the worm infection and future incidents that may targets this vulnerability.

System Affected

  • Windows 2000
  • Windows 95
  • Windows 98
  • Windows Me
  • Windows NT
  • Windows Server 2003
  • Windows XP

Aliases

  1. W32/Nyxem-D [Sophos]
  2. W32.Blackmal.E [Symantec]
  3. WORM_GREW.{A, B} [Trend Micro]
  4. W32/MyWife.d@MM [McAfee]
  5. Email-Worm.Win32.Nyxem.e [F-Secure]
  6. Win32/Blackmal.F [Computer Associates]
  7. W32/Small.KI@mm [Norman]
  8. Tearec.A [Panda Software]

Payload

  1. Turns off anti-virus applications
  2. Sends itself to email addresses found on the infected computer
  3. Deletes files off the computer
  4. Forges the sender's email address
  5. Uses its own emailing engine
  6. Downloads code from the internet
  7. Reduces system security
  8. Installs itself in the Registry

Brief Description

Brief Technical Details of W32.Nyxem.D ( Extracted from Sophos Anti-virus )

W32/Nyxem-D is an email and network worm for the Windows platform.

W32/Nyxem-D may open an empty dropped ZIP file in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of itself.

W32/Nyxem-D may attempt to close windows, terminate programs, remove registry entries and delete files related to security and anti-virus programs.

At the registry, it adds the value:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run \ ScanRegistry = scanregw.exe /scan

and modifies the values:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced

WebView = 0
ShowSuperHidden = 0

In the right pane, reset the registry value, if security software is installed:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses

W32/Nyxem-D sends itself to email addresses it harvests from files on the infected computer, sending itself as if from one contact to another. The emails sent have the following characteristics:

Subject lines include the following, or may be blank:

  • *Hot Movie*
  • A Great Video
  • Arab sex DSC-00465.jpg
  • eBook.pdf
  • Fuckin Kama Sutra pics
  • Fw:
  • Fw: DSC-00465.jpg
  • Fw: Funny :)
  • Fw: Picturs
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: Sexy
  • Fwd: Crazy illegal Sex!
  • Fwd: image.jpg
  • Fwd: Photo
  • give me a kiss
  • Hello
  • Miss Lebanon 2006
  • My photos
  • Part 1 of 6 Video clipe
  • Re:
  • Re: Sex Video
  • School girl fantasies gone bad
  • The Best Videoclip Ever
  • the file
  • Word file
  • You Must View This Videoclip!

Message bodies include the following, and may contain images that cannot be displayed:

  • ----- forwarded message -----
  • ???????????????????????????? ????????????? ?????? ???????????
  • >> forwarded message
  • DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
  • forwarded message attached.
  • Fuckin Kama Sutra pics
  • hello, i send the file. bye
  • hi i send the details bye
  • Hot XXX Yahoo Groups
  • how are you? i send the details. OK ?
  • i attached the details. Thank you
  • i just any one see my photos. It's Free :)
  • Note: forwarded message attached.
  • photo photo2 photo3
  • Please see the file.
  • ready to be FUCKED :)
  • VIDEOS! FREE! (US$ 0,00)
  • What?

Attachments may be executable files or mime files containing executable files. Executable attachment filenames include the following:

  • 007.pif
  • 04.pif
  • 677.pif
  • document.pif
  • DSC-00465.Pif
  • DSC-00465.pIf
  • eBook.PIF
  • image04.pif
  • New_Document_file.pif
  • photo.pif
  • School.pif

Mime attachment filenames include the following:

  • 3.92315089702606E02.UUE
  • Attachments[001].B64
  • Attachments00.HQX
  • Attachments001.BHX
  • eBook.Uu
  • Original Message.B64
  • Sex.mim
  • SeX.mim
  • Video_part.mim
  • WinZip.BHX
  • Word_Document.hqx
  • Word_Document.uu

Mime attachment filenames also include the following:

  • 392315089702606E-02
  • Clipe
  • Miss
  • Photos
  • Sweet_09

with one of the following extensions:

  • .b64
  • .BHx
  • .HQX
  • .mim
  • .uu
  • .UUE
  • .XxE

If the attachment is a mime file, it contains a file with one of the following filenames followed by several spaces and an SCR extension:

  • 392315089702606E-02,UUE
  • Adults_9,zip
  • ATT01.zip
  • Atta[001],zip
  • Attachments,zip
  • Attachments[001],B64
  • Clipe,zip
  • New Video,zip
  • Photos,zip
  • SeX,zip
  • WinZip,zip
  • WinZip.zip
  • Word XP.zip
  • Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords.

How to Tell if your Computer is Infected

  1. Presence of the worm related file in your system folder.

  2. Dysfunction of your computer’s security settings.

  3. Some of your files had been deleted, unknowingly.

  4. Additional values in your Registry.

Detection

Scan the infected computer with an updated Anti-virus softwares to detect the presence of the worm on infected machine.

NOTE: Users MUST update their Anti-virus softwares in order to detect/delete the worm.

Removal Steps

Automatic Removal

  1. Disconnect the machine from the network.

  2. Disable system restore for Windows XP/ME.

  3. Patch your machine with appropriate latest patches.

  4. Use an Automatic Removal Tool to cleanup the infected machine.

    Automatic Removal Tool:
    http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

  5. Reinstall and update your anti-virus softwares and other security related softwares as they could had been compromised by the worm.

  6. Re-scan the machine to confirm if it is clean.

  7. Enable the System Restore (for Windows ME/XP only).

  8. Re-connect the machine to the network.

Prevention

  1. Install the latest computer updates/patches.

  2. Enable and use up-to-date antivirus software.

  3. Close all ports except your http port otherwise you need to filter the ports to authorized users only.

  4. Enable a personal firewall on your computer.

  5. Practise safe computing/safe email practices.

References:

  1. Symantec
    http://www.sarc.com/avcenter/venc/data/w32.blackmal.e@mm.html

  2. Trend Micro
    http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM%5FGREW%2EA

  3. McAfee
    http://vil.nai.com/vil/content/v_138027.htm

  4. AusCERT
    http://www.auscert.org.au/render.html?it=5948

If you believe that your computer has been infected in any way, we encourage you to report to MyCERT at:

Tel: 03-89961901
Fax: 03-89960827
Email: mycert@mycert.org.my
Web: http://www.mycert.org.my/report/form_report.html
SMS: 019-2813801




All Rights Reserved
Copyright© 2005 MyCERT, NISER
Technology Park Malaysia, 57000 Kuala Lumpur, Malaysia.
Last Modified : 15th November 2005
Developed and maintained by MyCERT WebMaster
Feedback

Disclaimer:

MyCERT page serves as a source of information, extracted from various other sources focusing on computer security issues for the Internet community in Malaysia. Therefore, MyCERT is not responsible for any outcomes resulted in the misuse of the information given on this page. In addition, MyCERT also denies liability for any consequences of applying the technical solutions given here.


MyCERT Copyright