02.02.06
Nyxem worm uses social engineering to trash files
Rearing its ugly head in January was the Nyxem worm, also known as Blackdoom, Tearec, Kama Sutra, and Win32/Mywife.E@mm or W32.Blackmal.E@mm. The mass-mailing worm requires users to click on a link or open a file attached to an email to become active. According to a report from US-CERT, the worm targets Windows systems that hide file extensions. The worm’s icon is disguised to make it appear to be a WinZip file. Those who are disseminating the worm attempt to trick people into opening the file by telling recipients it contains free pornographic images.
The worm is disseminated through e-mails that contain subject lines such as “school girl fantasies gone bad”, “the best videoclip ever,” or “Miss Lebanon 2006.”
Once the worm has been launched, the code may do several things. It will harvest email addresses from the infected system and then send itself to those email addresses, attempt to disable anti-virus and file sharing programs, use available Windows network shares to further replicate itself, and modify the Active Desktop. The worm also corrupts files on the third day of every month, starting on February 3, 2006. If activated, the worm’s payload will destroy a wide variety of files by overwriting their content with the false error message string “DATA Error [47 0F 94 93 F4 K5]. The worm targets DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files–meaning that if you are infected, on the third day of the month you could lose virtually all of your data.
Users who follow best practices for security will not be vulnerable to the worm. Most anti-virus programs have already updated their databases to block the worm. Using anti-virus software and keeping the signature files up to date is the best way to prevent the worm from infecting your system. In addition, firewalls should be set as always to block executables and unknown file types at the gateway. Also, users should be educated to not click on suspicious attachments or follow unknown links in an email, even if it appears to be from a trusted source.
It is important to note that if the worm gets through and infects your system, it can disable your anti-virus program. Having an up-to-date anti-virus program installed in the first place will prevent the worm from getting through. If your anti-virus program is out of date however, and the worm gets through, the anti-virus program could be subsequently disabled.
The worm is said to have already infected at least half a million systems around the world, although some reports claim much higher numbers.