13 replies to this topic

[AplusWebMaster]

FYI...

- http://www.techweb.c..._section=700028
January 18, 2006
"A worm that debuted Tuesday had quickly climbed the malware chart to the number three spot by Wednesday, a Finnish security company said. With a variety of names -- F-Secure calls it VB.bi, Symantec dubs it Blackmal.e, McAfee labels it MyWife.d -- the worm, said Helsinki-based F-Secure, is a simple Visual Basic (VB) construction that arrives as an e-mail file attachment.
The worm also spreads through shared folders, and when activated tries to disable a number of security programs, including those sold by Symantec, McAfee, Trend Micro, and Kaspersky Labs... Symantec, which tagged the worm with a "2" in its 1 through 5 threat scale, has posted a free-of-charge removal tool on its Web site that deletes all traces of the malware."
- http://securityrespo...moval.tool.html

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1058
Last Updated: 2006-01-20 17:40:06 UTC
"...F-Secure posted a bulletin* today with their analysis of the current variant. The interesting (or is it scary?) part of this analysis is the revelation that on the 3rd of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), PDF files, .zip and .rar archives among others. They also report that based on a counter on a web page that the worm updates, there are in excess of 400,000 machines infected at this time."
* http://www.f-secure....s/nyxem_e.shtml

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1063
Last Updated: 2006-01-22 15:47:39 UTC
"CME 508 doesn't threaten like Nyxem_e*, on February 3rd and every third day of the month thereafter Nyxem.E will destroy users work (see F-Secure's blog**) when the worm activates and replaces "the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP... (Many AV) vendors... do not mention the destruction of user work..."
* http://www.f-secure....s/nyxem_e.shtml

** http://www.f-secure.com/weblog/

(Other AV vendor definition links shown at ISC URL above.)

[AplusWebMaster]

FYI...

- http://isc.sans.org/...hp?storyid=1065
Last Updated: 2006-01-23 22:13:35 UTC
"...Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here*). The most interesting part, which I haven't seen in other analysis of the worm says:
"Additional Registry Changes
- The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered "safe" and digitally signed."
The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can't trust it, but this looks like another (big) problem for the average user out there."
* http://www.fortinet....ctly&fid=119856

[AplusWebMaster]

FYI...

- http://cme.mitre.org/data/list.html#24
2006-01-24
CME-24
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A

This worm will destroy certain data files on an infected user's machine on Friday, 2/3/2006. Additional information can be found at:
http://blogs.securiteam.com
http://isc.sans.org/blackworm
and http://www.lurhq.com/blackworm.html "

[AplusWebMaster]

FYI...

- http://www.lurhq.com...worm-stats.html
January 26, 2006
"...Working with the ISP hosting the counter along with the TISF BlackWorm task force, we have obtained and analyzed the logs from the counter... As of the time these statistics were taken, the counter is well above 5 million, however, the actual count of infected users is closer to 300,000 worldwide and not increasing at too great a rate... Pie chart... shows the total infections by country for all countries with greater than 2000 infected IP addresses. The high infection rates in India, Peru and Italy are interesting to note. It is possible some of these figures are skewed by ARIN IP address reassignment, but we do believe India is the hardest-hit country by far in terms of overall infection rate. Even so, 300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn't the quantity of infected users, it is the destructive payload which is most concerning..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/blackworm
Last Updated: 2006-01-26 21:39:20 UTC
"...The first thing you should do is to update your anti virus signatures...
How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.
What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":
1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
Snort Signatures
Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see http://www.bleedingsnort.org ) ..."

[AplusWebMaster]

FYI...

- http://isc.sans.org/blackworm
Last Updated: 2006-01-28 00:22:46 UTC
"...Some of (the) links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely."

.

[poru]

Note that some mainstream news media are picking up on this (calling it "Kama Sutra" [naturally!]). Motive seems to be sheer malice; no back doors or any other stealth modes of theft -- simply destroy your system.

[AplusWebMaster]

FYI...

MS Won't Issue Advance Kama Sutra Fix
- http://www.techweb.c...urity/177105726
January 31, 2006
"...the company has decided against updating its Windows Malicious Software Removal Tool before the next regularly-scheduled release of Feb. 14... It also notes that infected PCs will be in danger on Friday, Feb. 3, when the worm will overwrite several popular file formats, including those of Microsoft Office, with useless data. But according to the team in charge of (MSRT), that program won't be updated until after the Friday deadline passes..."

CME-24: It Has Begun
- http://isc.sans.org/...hp?storyid=1084
Last Updated: 2006-01-31 20:21:32 UTC
"According to the folks at F-Secure*, the CME-24 file deletions have begun for folks whose clocks are set wrong (remember, this puppy is set to fire up on Feb 3)..."
* http://www.f-secure....6.html#00000797

[AplusWebMaster]

FYI...

- http://www.grisoft.c...pl01/idv/284922
"CME-24
This worm spreads by emails as a message attachment and via P2P networks.
Installation:
When the worm is launched it copies itself as scanregw.exe, Net.exe and at.exe into Windows System folder and as Rundll16.exe into Windows folder and registers file scanregw.exe as ScanRegistry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in Windows Registry.
Spreading: e-mail
Worm spreads by sending itself to e-mail addresses that are taken from files with HTM, DBX, EML, MSG, OFT, NWS, VCF, MBX, IMH, TXT and MSF extension.
Message format is as following:
Sender address is faked
Subject and message body are generated from the texts inside virus body.
Attachment:
Attachment name is variable with pif extension or with scr in case of hidden extension.
Spreading: networks
Worm searches for shared folders and copies itself to them using random names.
Payload:
Virus terminates several running processes.
Every 3rd day of month virus overwrites files with doc, xls, mdb, mde, ppt, pps, zip, rar, pdf, psd and dmp extension."

[AplusWebMaster]

FYI...

Recovering LOST files from a hardrive
- http://isc.sans.org/...hp?storyid=1096
Last Updated: 2006-02-04 22:15:51 UTC
"Help I have lost data files from my harddrive (due to CME-24 or other reasons).
First if at all possible TURN off the computer and put the infected drive on another system that is not infected. If for one reason or another you cannot, you should consider one of the cdrom or floppy based recovery systems and an extra drive.
You should perform recovery to a different filesystem than the one being recovered from, otherwise you risk overwriting some files as you recover others.
>>> Be aware some companies offer demos that identify "lost" files but doesn't save the files it finds.

Here is a short list of forensic tools and data recovery tools.
Windows:
http://www.x-ways.ne...ry/index-m.html
The free version is limited to recovering files of 200k or smaller.
Linux/Unix based tools:
http://www.sleuthkit.org/autopsy/
CDROM based Bootable images
FCCU GNU/Linux boot CD 10.0 from fccu.
http://www.d-fence.be/
Fire from sourcefire
http://fire.dmzs.com/
FoRK from Vital Data
http://www.vitaldata.../index.php?id=9
Requires a registration.

Here is a good list of forensic's tools.
http://www.forensics.nl/toolkits ..."

Edited by AplusWebMaster, 04 February 2006 - 04:50 PM.

[AplusWebMaster]

FYI...

CAIDA Report on Blackworm
- http://isc.sans.org/...hp?storyid=1099
Last Updated: 2006-02-06 19:08:32 UTC
"...nice analysis with descriptions, charts, graphs, and figures."

- http://www.caida.org...rity/blackworm/
Feb 06, 2006
"...The Nyxem virus depended on a user opening an email attachment to infect a computer. As this is the latest in a long string of similar viruses, its success indicates that user education measures intended to dissuade people from opening unexpected email attachments have not been sufficiently effective. 45,401 Nyxem victims (approximately ten percent of our conservative estimate) had concurrent spyware and/or botnet infections that were advertised in their browser string. Many more likely had concurrent infections that were not identifiable with the available data... In many ways, the Nyxem virus is nothing special. While it does carry a destructive payload, it follows a long history of destructive viruses and an almost equally long history of email viruses spread via people opening unexpected attachments. Social engineering is a tried-and-true technique for the malicious -- as the saying goes, "you can fool some of the people all of the time." Our estimates of the total number of victims of Nyxem are an order of magnitude less than estimates of the spread of other email viruses. Much as it is near impossible to characterize the spread of most other email worms, it is impossible to catalog the damage caused by Nyxem. Extensive news coverage and coordinated efforts to notify potential victims resulted in the repair of many computers before files they contained were overwritten by the virus..."

.

[AplusWebMaster]

FYI...

CME-24 (again)
- http://isc.sans.org/...hp?storyid=1163
Last Updated: 2006-03-03 11:13:52 UTC
"Yes...it is CME-24 time again... remember your Nyxem/Kama Sutra/Blackworm friend from last month?
Well...it is suppose to make its round again today, as today is the third day of the month, and "this destructive virus will delete files from a number of popular programs on February 3rd, and on the 3rd day of the month thereafter". More info on this Blackworm special page*."

* http://isc.sans.org/...hp?storyid=1067