The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info

I have been watching this one since yesterday.  Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus. F-Secure reports that this virus is already ranked third in their Virus Statistics at the time of this writing, so this is spreading fast.

Symantec now has a cleaner for this virus, which can be found here:

McAfee and F-Secure also have descriptions for this virus, with completely different names.

McAfee: W32/MyWife.d@MM


Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.

Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX – which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical “insert a lot of spaces before the real extension” trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D – go figure!).
Seems like we’ll have to wait more for CME.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


January 18, 2006 - Posted by | Antivirus News, Virus Outbreaks

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: