SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
I have been watching this one since yesterday. Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus. F-Secure reports that this virus is already ranked third in their Virus Statistics at the time of this writing, so this is spreading fast.
Symantec now has a cleaner for this virus, which can be found here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html
McAfee and F-Secure also have descriptions for this virus, with completely different names.
McAfee: W32/MyWife.d@MM
F-Secure: Email-Worm.Win32.VB.bi
Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.
Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.The sample we received had attachment named Attachments00.HQX – which is actually just an uuencoded file:
begin 664 Attachments,zip .SCR
M35J0“,““$““__\“+@““““`0“““““““““““““`
M““““““““““H““`X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%MYou can also see a typical “insert a lot of spaces before the real extension” trick.
Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D – go figure!).
Seems like we’ll have to wait more for CME.
SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
-
Recent
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
-
Links
- WordPress.com
- WordPress.org
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- VirusTotal.com
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team
-
Archives
- November 2007 (1)
- February 2006 (8)
- January 2006 (33)
- December 2005 (30)
- November 2005 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS
