SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
What’s the threat? And who is noticing it? Nyxem_e versus CME 508
Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure’s blog) when the worm activates and replaces “the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]“. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP” “on all available drives”, and yes, available = shared drives.fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it’s more like a centipede than a worm, and it’s not likely to drop off the radar soon, certainly not before the 3rd of February.
The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info – see the F-Secure Virus Information Pages : Nyxem.EThe vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As:WORM_GREW.{A, B} [Trend Micro],
“It gathers email addresses from files with the following extension names:DMP
DOC
MDB
MDE
PPS
PPT
PSD
RAR
XLS
ZIP”.W32.Blackmal.E@mm Symantec
W32/Nyxem-D [Sophos],
W32/MyWife.d@MM [McAfee],
W32/Grew.A!wm (Fortinet),
W32/Small.KI@mm [Norman],
Win32/Blackmal.F [Computer Associates]
Tearec.A Panda
UPDATE
The CME reference is difficult but not impossible to follow. I’m reading CME links which show “Latest CME Identifiers CME-508“, however, that last 508 link has english that says the newest CME-ID is “CME-503 – Date Assigned 2006-01-20″. In any event I base my comment that “CME-508″ is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the “new” threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ……SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
-
Recent
- SANS Internet Storm Center – "Malicious" Websites
- SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
- F-Secure : News from the Lab – Nyxem on a world map
- SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)
- Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm
- F-Secure : News from the Lab – First reports of Nyxem damage
- Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – BlackWorm Summary – Updated Info
- SANS – Internet Storm Center – More on Nyxem
- SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508
- SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info
-
Links
- WordPress.com
- WordPress.org
- Symantec Security Response
- Secunia – Virus Information
- McAfee – Newly Discovered Threats
- SANS Internet Storm Center
- Trend Micro-Virus Information
- F-Secure: News from the Lab
- F-Secure: 50 latest virus descriptions
- VirusTotal.com
- Common Malware Enumeration (CME)
- worm blog
- Computer Associates Virus Information Center
- Kaspersky Analyst’s Diary
- Kaspersky’s Viruslist.com
- Panda Software Latest Threats
- Norman: Virus and Security
- Sophos Virus Info
- F-Prot Virus Information
- Sybari Threat Info Center
- Anti-Malware Engineering Team
-
Archives
- November 2007 (1)
- February 2006 (8)
- January 2006 (33)
- December 2005 (30)
- November 2005 (5)
-
Categories
-
RSS
Entries RSS
Comments RSS
