The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – What’s the threat? And who is noticing it? Nyxem_e versus CME 508

 What’s the threat? And who is noticing it? Nyxem_e versus CME 508

Published: 2006-01-22,
Last Updated: 2006-01-22 20:00:45 UTC by Patrick Nolan (Version: 4(click to highlight changes))

CME 508 does not threaten like Nyxem_e, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure’s blog) when the worm activates and replaces “the content of user’s files with a text string “DATA Error [47 0F 94 93 F4 K5]”. Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP” “on all available drives”, and yes, available = shared drives.

fwiw, I look at published email malware statistics daily, both Nyxem_e and CME 508 are approximately the same in volume reports, and nowhere near sober was last year as far as raw numbers go. But Nyxem.E has legs, it’s more like a centipede than a worm, and it’s not likely to drop off the radar soon, certainly not before the 3rd of February.

The Handlers diary previously referenced Nyxem.E in More on Blackmal/Grew/Nyxem (file deletion payload.
Source info – see the F-Secure Virus Information Pages : Nyxem.E

The vendors below do not mention the destruction of user work, as of the checking I just did, ymmv.
Also Known As: 

WORM_GREW.{A, B} [Trend Micro],
“It gathers email addresses from files with the following extension names:

DMP
DOC
MDB
MDE
PDF
PPS
PPT
PSD
RAR
XLS
ZIP”.

W32.Blackmal.E@mm Symantec

W32/Nyxem-D [Sophos],

W32/MyWife.d@MM  [McAfee],

W32/Grew.A!wm (Fortinet),

W32/Small.KI@mm [Norman],

Win32/Blackmal.F [Computer Associates]

Tearec.A Panda

UPDATE
The CME reference is difficult but not impossible to follow. I’m reading CME links which show “Latest CME Identifiers CME-508“, however, that last 508 link has english that says the newest CME-ID is “CME-503  – Date Assigned 2006-01-20”. In any event I base my comment that “CME-508” is not a threat because I interpret vendor malware write-ups mentioning CME 503 as the “new” threat called CME-508 at cme.mitre.org. The vendors are listing 503, none are using 508 ……

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Advertisements

January 23, 2006 - Posted by | Administrative

No comments yet.

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: