Email-Worm.Win32.Nyxem.e
Detection added: Jan 17 2006
Technical details
This worm spreads via the Internet as an attachment to infected messages and via open network resources.
It sends itself to email addresses harvested from the victim computer.
The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size.
Installation
Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g.
%System%\Sample.zip
When installing, the worm copies itself to the Windows root, system and start up directories under the following names:
%System%\New WinZip File.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
%Windir%\rundll16.exe
The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry"="scanregw.exe /scan"
The worm also modifies the following registry keys:
[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
"WebView"="0"
"ShowSuperHidden"="0"
Propagation via email
The worm harvests addresses from files with the following extensions:
dbx
eml
htm
imh
mbx
msf
msg
nws
oft
txt
vc
It also scans files if the names contain the following strings:
content
temporary
When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server.
Infected messages
Message subject:
*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Photos
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
You Must View This Videoclipe!
Message body:
----- forwarded message -----
>> forwarded message
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. Bye
Hot XXX Yahoo Groups
how are you? i send the details.
i attached the details. Thank you.
i just any one see my photos. It's Free :)
Note: forwarded message attached. You Must View This Videoclip!
Please see the file.
Re: Sex Video
ready to be FUCKED ;)
The Best Videoclip Ever
VIDEOS! FREE! (US$ 0,00)
What?
Attachment name:
007.pif
04.pif
3.92315089702606E02.UUE
677.pif
Attachments[001].B64
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
eBook.Uu
image04.pif
New_Document_file.pif
Original Message.B64
photo.pif
School.pif
SeX.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu
Propagation via open network resources
The worm copies itself to the following network resources as Winzip_TMP.exe:
ADMIN$
C$
Other
If the worm detects any of the registry values listed below on the victim machine, it will delete them:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
APVXDWIN
avast!
AVG7_CC
AVG7_EMC
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
BearShare
defwatch
DownloadAccelerator
kaspersky
KAVPersonal50
McAfeeVirusScanService
NAV Agent
OfficeScanNT Monitor
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PccPfw
Pop3trap.exe
rtvscn95
ScanInicio
SSDPSRV
TM Outbreak Agent
tmproxy
Vet Alert
VetTray
vptray
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
The worm also terminates active applications if the application name contains one of the following strings:
kaspersky
mcafee
norton
removal
scan
symantec
trend micro
virus
fix
It will delete all files from the following folders:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton AntiVirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\VSO\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Morpheus\*.dll
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
All of this actions make the victim machine more vulnerable to subsequent attacks.
It may also download updates to itself via the Internet, without the knowledge or consent of the user.
It will also block the mouse and the keyboard.
On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions:
.doc
.xls
.mdb
.mde
.ppt
.pps
.zip
.rar
.pdf
.psd
.dmp
Datoteke koruptirane od strane crva sadrže slijedeći tekst:
DATA Error [47 0F 94 93 F4 F5]
Upute za otklanjanje
Restartaje računalo u Safe Mod, pritisnite i držite tipku F8 kod bootanja i odaberite Safe Mod u izborniku koji će se pojaviti. U Task Manageru, ubijte proces sa jednim od sljedećih imena:
rundll16.exe
scanregw.exe
Update.exe
Winzip.exe
WINZIP_TMP.EXE
New WinZip File.exe
WinZip Quick Pick.exe
Ručno obrišite sljedeće datoteke iz windowsovog root i system direktorija te registrya:
%Windir%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%System%\New WinZip File.exe
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
Obrišite sljedeće vrijednosti iz registrya:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "scanregw.exe /scan"
Restartajte računalo i provjerite da li ste obrisali sve zaražene e-mail poruke iz mail direktorija. Ako neka aplikacija poslije gornje procedure bude oštećena (najčešće će to biti antivirusi i firewalli) morat će te ih reinstalirati. Sada sa antivirusom (i najnovijim definicijama) pokrenite puno sistemsko skeniranje.
http://www.viruslist.com/en/viruses/encyclopedia?virusid=109064
Dodatni linkovi:
http://www.f-secure.com/v-descs/nyxem_e.shtml
[Ovu poruku je menjao IcyImpact dana 01.02.2006. u 21:37 GMT+1]
Knowledge is power.