copyright | disclaimer | privacy | contact  
Australia's Leading Computer Emergency Response Team
 
Search this site

 
On this site

 > HOME
 > About AusCERT
 > Membership
 > Contact Us
 > PKI Services
 > Training
 > Publications
 > Sec. Bulletins
 > Conferences
 > News & Media
 > Services
 > Web Log
 > Site Map
 > Site Help
 > Member login

  Home » Security Bul... » By Operating... » Windows (all) » AU-2006.0006 -- AusCERT Update - [Win] - "Blackmal" ...
 

AU-2006.0006 -- AusCERT Update - [Win] - "Blackmal" email worm update (CME-24)
Date: 02 February 2006
References: AL-2006.0005  

Click here for printable version
Click here for PGP verifiable version
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

AusCERT Update AU-2006.0006 - [Win]
"Blackmal" email worm update (CME-24)
2 February 2006       

	AusCERT Update Summary
        ----------------------

Operating System:  Windows
Impact:            Delete Arbitrary Files
                   Execute Arbitrary Code/Commands

Ref:               AL-2006.0005

OVERVIEW:
 
	This AusCERT update provides a summary of known information about the
	"Blackmal" email worm reported in AL-2006.0005 [1].
 
	Conservative estimates of the number of compromised hosts resulting 
	from this worm are around 300 000.  The worm's destructive payload is
	scheduled to overwrite data files on local and network drives on 3 
	February and the 3rd of every month thereafter.  There have been
	reports of users with the system clocks set fast already having their
	data files overwritten by this worm [2].
 
	This worm has now been assigned CME-24 by the Common Malware
	Enumeration initiative.  The CME web site [3] lists major virus vendor
	naming conventions for this particular threat.

	Due to the destructive nature of this worm, AusCERT advises that
	system administrators ensure their networks are free from infection
	before the first data destruction payload triggers on February 3 2006. 

IMPACT:

	This worm will:
 
	* attempt to disable anti-virus products and security software

	* on the third of each month, attempt to overwrite files with file
	  extensions of .doc, .xls, .ppt, .mdb, .mde, .zip, .rar, .pdf, .psd
	  and .dmp.  The worm will also attempt to overwrite files on network
	  shares, such as on file servers.

	* mass-mail itself to other email addresses found on an infected
	  system.

MITIGATION:

	It it recommended that administrators and users:

	* update anti-virus pattern files to latest versions and scan for 
	  infections.  If anti-virus products have been disabled by the worm,
	  this may require reinstallation of these products.

	* follow detection and removal instructions from Microsoft [4].

	* use a specialised tool to remove any infections, such as F-Secure's
	  F-Force [5] or Symantec's removal tool [6].  Please note that 
	  AusCERT has not tested these products for their effectiveness.

	* backup important data files as per normal backup procedure.

REFERENCES:
 
	[1] http://www.auscert.org.au/5948
	[2] http://www.f-secure.com/weblog/archives/archive-012006.html#00000797
	[3] http://cme.mitre.org/data/list.html#24
	[4] http://www.microsoft.com/security/encyclopedia/details.aspx?name=Win32%2fMywife.E%40mm
	[5] http://www.f-secure.com/v-descs/nyxem_e.shtml
	[6] http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

AusCERT has made every effort to ensure that the information contained
in this document is accurate.  However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.

If you believe that your computer system has been compromised or attacked in 
any way, we encourage you to let us know by completing the secure National IT 
Incident Reporting Form at:

        http://www.auscert.org.au/render.html?it=3192

===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072

Internet Email: auscert@auscert.org.au
Facsimile:      (07) 3365 7031
Telephone:      (07) 3365 4417 (International: +61 7 3365 4417)
                AusCERT personnel answer during Queensland business hours
                which are GMT+10:00 (AEST).
                On call after hours for member emergencies only.
===========================================================================

-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967

iQCVAwUBQ+FPnih9+71yA2DNAQIdEgP+OGw5SYDu7HaSd0WKmoYHQQQgtwYAlpfx
YjStjSOP8RZcMXMAAe+zeTGNfy8TKEkch4Qh0NULiMRFrK7ifaGFJ7SMifL+vXPe
JArzYn6vrYaxItanEEd4drs7OJFf7bRW+cJrmo8FG3PgqSszsME1t8pRaHjiM5bF
agE+8H6wPGw=
=yxo6
-----END PGP SIGNATURE-----




Comments? Click here http://www.auscert.org.au/render.html?cid=21&it=5988