Date: 24 January 2006
References: AL-2006.0005
Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
AusCERT Update AU-2006.0005 - [Win]
"Blackmal" email worm variant will cause file destruction
23 January 2006
AusCERT Update Summary
----------------------
Operating System: Windows
Impact: Delete Arbitrary Files
Execute Arbitrary Code/Commands
Member-only until: Tuesday, January 31 2006
Ref: AL-2006.0005
OVERVIEW:
A variant of the "Blackmal" email worm reported in AL-2006.0005 is
currently spreading rapidly and carries a payload that will
destroy files on the third day of each month.
This variant has been assigned the names Nyxem.e, Nyxem-D, MyWife.d and
Blackmal.e@mm by different antivirus vendors. [1][2][3]
The worm arrives in an infected email and then depends on users opening
an email attachment to infect the machine.
IMPACT:
The worm first attempts to disable popular antivirus and other
security software.
On the third day of each month the worm will overwrite and destroy
files with extensions .doc, .xls, .ppt, .mdb, .mde, .zip, .rar, .pdf
.psd and .dmp.
It will attempt to spread to other computers via network shares
as well as by sending further infected emails.
MITIGATION:
Updates have now been released for most antivirus products to allow
detection of this worm.
As always, users should avoid opening any attachments in email
messages, unless the email was already expected. Worm and virus
emails may often appear to come from people you know.
Further advice on protecting Windows workstations from malicious code
is provided in [4].
A free removal/cleaning tool is available. [5]
DETAILS:
Descriptions of the infected email Subject lines, content and
attachment types are provided in [1],[2] and [3].
REFERENCES:
[1] F-Secure worm description
http://www.f-secure.com/v-descs/nyxem_e.shtml
[2] Symantec worm description
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html
[3] Sophos worm description
http://www.sophos.com/virusinfo/analyses/w32nyxemd.html
[4] Protecting your computer from malicious code
http://www.auscert.org.au/3352
[5] Symantec W32.Balckmal@mm Removal Tool
http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert@auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQ9W/gyh9+71yA2DNAQKUPQP/biGpO/Uh6lr9L6C3aKbJANPd41Ucvi3p
51CNALev25FY24g2kaUPU3K1Zd9HZpgmRDkuj2qrpJYJ+q4fpWslipKDKjgPaNI8
9nZoGuvgF2s/YmGYgYY1uJPio1pZH3azo6J/z5IWXhSOznV5rGtP6uD0NI/O55U9
DXBC+Ah4Q0E=
=98OR
-----END PGP SIGNATURE-----
|