SANS – Internet Storm Center – More on Nyxem

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it’s still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can’t be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven’t seen in other analysis of the worm says:

“Additional Registry Changes

• The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.”

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can’t trust it, but this looks like another (big) problem for the average user out there.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 24, 2006 - Posted by antivirusguy | Antivirus News, Virus Outbreaks