The Antivirus Guy Blog

Keeping people up to date with antivirus and security information

SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares

CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 17:39:40 UTC by Lorna Hutcheson (Version: 1)
I wanted to share some of the results of some long hours spent looking at this malware.  When the infection occurs, it immediately places copies of itself  locally on each share and on each share/mapped drive that it finds.  Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.

I now have changed my initial thoughts on how the destruction would occur.  Here are some of my notes from my testing of this concept.  Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exe

The first test I did led me to believe that the destruction would be carried out via the shares and mapped drives.  In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other.  I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot.  After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot.  All my data files were now over written, zip files were corrupted, etc.  Everything was happening as I thought it would.  All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.

For the rest of this in depth analysis, go here: SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.


February 2, 2006 Posted by | Antivirus News | 5 Comments

F-Secure : News from the Lab – Nyxem on a world map

Nyxem on a world map    Posted by Mikko @ 14:31 GMT

We have been co-operating with RCN, the company running the counter site that is used by the Nyxem worm. Last night we got the web access statistics, listing all the IP addresses that have accessed the Nyxem counter.

After filtering out the addresses of bots that have been hammering the counter lately, we used our WORLDMAP technology to map the addresses to a map. As a result we have a global view of the machines that will run into trouble unless they are disinfected before tomorrow:

Nyxem.E worldmap
– click the map for a high-resolution version –

Nyxem.E starts to overwrite files half an hour after the infected machines are started on the 3rd of the month.

We’d like to thank Jason Nealis and Chris Jackman at RCN for their generous help with this issue.

F-Secure : News from the Lab – February of 2006.

February 2, 2006 Posted by | Antivirus News | 4 Comments

SANS – Internet Storm Center – Prepraring for Feb 3rd(CME-24\Blackworm)

Prepraring for Feb 3rd(CME-24) (NEW)

Published: 2006-02-02,
Last Updated: 2006-02-02 16:07:43 UTC by Pedro Bueno (Version: 1)
Prepraring for Feb 3rd(CME-24)

We received a lot of suggestions about measures against CME-24. In other words,
how to prepare for Feb 3rd, in despite of the Anti-virus.

What follows bellow is a compiled list of those. Some were tested, but some not.

– The rule bellow, made by Per Kristian Johnsen with Telenor Security Center,
is said to detect attempts to copy WINZIP_TMP.exe to shares. According to the author,
they are being able to detect infected machines where the already published
snort/sourcefire rule couldn’t:

alert tcp any any -> any 135:139 (msg:”Nyxem attempting to copy WINZIP_TMP.exe to shares”; flow:to_server,established; content:”|57 00 49 00 4e 00 5a 00 49 00 50 00 5f 00 54 00 4d 00 50 00 2e 00 65 00 78 00 65|”; reference:url,; classtype:trojan-activity; sid:5000173; rev:1;)

We had another user that used sms to scan drives files with a size of 95,690 named (Bloggers note: I have been doing this query too, but missed the files size part)

%System%\New WinZip File.exe
Zipped Files.exe

– A security Dweeb at a large California municipal government agency wrote a batch script that:

“1) looks for the infected file names existence
on %windir% and %sysdir% using simple DIR /B commands. Output is sent to
uniquely named text file (with a non-standard extension). Infected
workstations will show a non-zero file size. Batch file is below; uses
environment vars that are unique to user and computer name.
2) The batch file will be placed in the login script for all
3) Ensure that verified backups are completed tonight (Wed).

Batch file:
@echo off
dir /b %WinDir%\system\\Winzip.exe >> %username%_%computername%.rgh
dir  /b %WinDir%\system\Update.exe  >> %username%_%computername%.rgh
dir /b  %WinDir%\system\scanregw.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\Rundll16.exe  >> %username%_%computername%.rgh
dir  /b %WinDir%\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b c:\winzip_tmp.exe  >> %username%_%computername%.rgh
dir  /b %Temp%\                                        .exe  >>

Although dangerous, we think we have a very low chance of a problem.
According to LURQ, there are only 15K computers in US that have
contacted the “counter” site. And we have other protections in place
(blocking of all executables in mail attachments, current anti-virus
updates, etc.)”

Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org )

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

February 2, 2006 Posted by | Antivirus News | 2 Comments

Microsoft Security Advisory Notification – Update for Security Advisory (904420) – Win32/Mywife.E@mm


Title: Microsoft Security Advisory Notification

Issued: February 1, 2006

Security Advisories Updated or Released Today ==============================================

* Security Advisory (904420)

– Title: Win32/Mywife.E@mm

– Reason For Update: Additional information about the blank password restriction functionality in Windows XP Service Pack 1,

Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. Added link to Virus Information

Alliance member Sophos.

– Web site:

February 2, 2006 Posted by | Antivirus News | 1 Comment

F-Secure : News from the Lab – First reports of Nyxem damage

Tuesday, January 31, 2006

First reports of Nyxem damage Posted by Mikko @ 16:24 GMT

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you’re infected and your clock is not set right, things could start to happen at any time – even though the official activation time is the 3rd of the month. We’ve already received first reports from users who’ve had files on their system overwritten by the worm.


When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files.

The number of machines that have been hit by this worm is over 300,000. Many of those have been disinfected already, though. But thousands of computers will get their files overwritten on February 3rd – most of them in India, Turkey and Peru.

This worm family has been around since March 2004. The worm is named “Nyxem” because the original Nyxem.A variant launched a DDoS attack against the New York Mercantile Exchange website ( We don’t know why.

We have a free tool available to help disinfect machines before the deadline passes.

F-Secure : News from the Lab – January of 2006.

February 2, 2006 Posted by | Antivirus News | 1 Comment

Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)

For even more comprehensive information on this virus go here:

Microsoft Security Advisory (904420)


Published: January 30, 2006

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with “Administrator” as the user name together with a blank password.

Read the rest of this advisory here: Microsoft Security Advisory (904420): Win32/Mywife.E@mm.

February 2, 2006 Posted by | Antivirus News | 2 Comments

SANS – Internet Storm Center – BlackWorm Summary – Updated Info

BlackWorm Summary

Published: 2006-01-26,
Last Updated: 2006-01-27 02:01:42 UTC by Johannes Ullrich (Version: 3(click to highlight changes))

About BlackWorm

Over the last week, “Blackworm” infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can’t be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( ‘DATA Error [47 0F 94 93 F4 K5]’).

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page:


As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be ‘CME-24’. should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new “zip file” icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.


Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild “from scratch”:

  1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
  2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

To read the rest of this post, go here:   SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

February 2, 2006 Posted by | Antivirus News | 1 Comment

SANS – Internet Storm Center – More on Nyxem

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it’s still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can’t be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven’t seen in other analysis of the worm says:

“Additional Registry Changes

  • The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.”

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can’t trust it, but this looks like another (big) problem for the average user out there.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 24, 2006 Posted by | Antivirus News, Virus Outbreaks | 2 Comments

SANS – Internet Storm Center – New mass mailer spreading (Blackmal/Grew/Nyxem) – With updated info

I have been watching this one since yesterday.  Hopefully the information out there will be clearer now that the AV companies have had time to analyze the virus. F-Secure reports that this virus is already ranked third in their Virus Statistics at the time of this writing, so this is spreading fast.

Symantec now has a cleaner for this virus, which can be found here:

McAfee and F-Secure also have descriptions for this virus, with completely different names.

McAfee: W32/MyWife.d@MM


Trend Micro is also tracking a WORM_NYXEM.E, that may be another variant of this worm, but no details are available of this writing.

Published: 2006-01-18,
Last Updated: 2006-01-18 03:15:12 UTC by Bojan Zdrnja (Version: 1)

We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX – which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical “insert a lot of spaces before the real extension” trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D – go figure!).
Seems like we’ll have to wait more for CME.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

January 18, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment

SANS – Internet Storm Center – New email virus making the rounds

Handler’s Diary January 11th

New email virus
making the rounds

Published: 2006-01-11,
Last Updated: 2006-01-11
22:28:25 UTC by Daniel Wesemann (Version: 1)
We are currently analyzing a copy of .. something.
Attachment name “”, detection by AV is still thin to nonexistent.
When run, the code tries to pull additional files from web servers in Russia, so
if you have a chance, you might consider blocking the following TLDs on your
proxy / / / / /

2200UTC: contains
a file named “Secure E-mail File.hta”, which is according to
current Virustotal output only detected by Panda and Kaspersky, the latter calls
it Worm.Win32.Feebs.k . Samples we’ve seen come in an email with subject “Secure
Message from user”. The HTA file is nicely obfuscated, it has 2
obfuscation functions, one being easy unescape, while the other one is a bit
more complex. Once it is executed by a user, it will run in the local zone, so
it can use various ActiveXObjects. It will try to download executables from 5
web sites (domains listed above), all of which are up and working at this

MD5 sums for the original exploit file and the two variants of
EXEs it downloads when run:
Secure E-mail File.hta


Analysis and write-up by fellow handler Bojan
Zdrnja. Thanks! 🙂

SANS – Internet Storm
Center – Cooperative Cyber Threat Monitor And Alert System

January 14, 2006 Posted by | Antivirus News, Virus Outbreaks | Leave a comment