3rd Of Month Is Coming, Don't Lose Your Data

3rd Of Month Is Coming, Don't Lose Your Data Email-Worm.Win32.Nyxem, W32.Blackmal.E@mm, W32/MyWife.d@MM, Kama Sutra

#1 Papakid

Guru at being a Newbie

Group: Malware Response Team
Posts: 6,019
Joined: 08-April 04
Gender:Male

Posted 30 January 2006 - 12:41 PM

Quoting Kaspersky Lab's warning bulletin received via email:

Quote

A dangerous email worm deletes data from infected machines on the 3rd of
every month...

Email-Worm.Win32.Nyxem.e...spreads via
the Internet as an attachment to infected messages, and also in files
placed on open network resources. It's estimated that hundreds of
thousands computers around the world are infected, and the number of
infected machines is continuing to increase.

Nyxem.e's payload is triggered on the third of every month, when the
worm will destroy data saved on the victim machine. The worm regularly
checks the system time. When the system data is the third of the month,
30 minutes after the victim machine is booted, Nyxem will delete
information from common file formats, replacing data with a meaningless
set of symbols.

KAV's description:
http://www.viruslist.com/en/viruses/encycl...?virusid=109064

More info:
http://isc.sans.org/diary.php?storyid=1058&rss

Quote

there are in excess of 400,000 machines infected at this time.

http://www.sophos.com/virusinfo/analyses/w32nyxemd.html
http://www.f-secure.com/v-descs/nyxem_e.shtml#details

As is common, different antivirus vendors have their own names for the same infection. Sophos has the most complete list of aliases that I've seen.

* Email-Worm.Win32.VB.bi
* CME-24
* WORM_GREW.A
* W32.Blackmal.E@mm
* W32/Tearec.A.worm
* Email-Worm.Win32.Nyxem.e
* W32/MyWife.d@MM

What to do:

Eugene Kaspersky's advice:

Quote

"All users should avoid launching email attachments that
have not been scanned. They should also update their antivirus databases
and then scan their computers to make sure that their machines are Nyxem
free."

However:

Quote

The worm terminates processes connected with security solutions, and
prevents them from being launched. Nyxem.e is also capable of
downloading updates to itself via the Internet.

If you have problems getting your AV solution to run correctly or have other reason to believe you are infected, F-Secure has a special disinfection utility called F-Force--use at your own risk:
http://www.f-secure.com/v-descs/nyxem_e.shtml

And I may be obliged to defend
Every love every ending
Or maybe there's no obligations now,
Maybe I've a reason to believe
We all will be received
In Graceland--Paul Simon

#2 quietman7

Bleepin' Janitor

Group: Global Moderator
Posts: 25,518
Joined: 09-July 05
Gender:Male
Location:Virginia, USA

Posted 01 February 2006 - 08:55 AM

First reports of Nyxem damage

Quote

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

We have a free tool available to help disinfect machines before the deadline passes.

Kama Sutra email worm advice

Symantec W32.Blackmal@mm Removal Tool

This post has been edited by quietman7: 01 February 2006 - 12:59 PM

Microsoft MVP - Consumer Security 2007-2012

Member of UNITE, Unified Network of Instructors and Trusted Eliminators

#3 -David-

Forum Addict

Group: Members
Posts: 10,603
Joined: 28-October 05
Gender:Male
Location:London

Posted 01 February 2006 - 02:20 PM

I stumbled across this UK bbc alert:
http://news.bbc.co.uk/1/hi/technology/4661582.stm

David

#4 phawgg

Learning Daily

Group: Members
Posts: 4,543
Joined: 09-July 04
Location:Washington State, USA

Posted 02 February 2006 - 05:42 AM

This one hit network news in the Seattle/Tacoma area this evening.
It was reported on in some depth, which is somewhat unusual for these program's typical format.
I personally think it was presented somewhat "sensationally",
with a "tag-team" pair of newspeople splitting the duty of reading the text ...
with it seeming to be a "hang onto your hat a big one is coming your way!" sorta thing,
but at least it accomplishs the result of continuing to make the viewing public aware of internet concerns in general.

The online text:
http://www.komotv.com/stories/41637.htm

patiently patrolling, plenty of persisant pests n' problems ...

#5 Daisuke

Cleaner on Duty

Group: Members
Posts: 5,575
Joined: 01-September 04
Gender:Male
Location:Romania

Posted 02 February 2006 - 05:47 PM

F-Secure played with their "WORLDMAP technology":

http://www.f-secure.com/weblog/archives/ar...6.html#00000800

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 Newb4Life

Distinguished Member

Group: Members
Posts: 618
Joined: 14-November 05
Gender:Male
Location:Pinellas County, FL

Posted 02 February 2006 - 07:38 PM

It just hit the new here in Maryland as well. Shortly after seeing it myself I got A call from A friend warning me about it. Apparently everyone is being instructed to turn off their pc's.

“Technology does not drive change -- it enables change.”
-Unknown

#7 salshroom

Member

Group: Members
Posts: 30
Joined: 26-October 04

Posted 03 February 2006 - 03:36 PM

My networked PC at my job are infected with these viruses. the nyxem.e virus. along iwth others. i checked around the net to find this site to prove the most help so far.
http://www.viruslist.com/en/viruses/encycl...?virusid=109064

I did all of what the site says except being unable to reinstall the norton internet security package i have been trying to install. it seemingly goes the the installation and never finishes. ive downloaded and used the f-force program that was listed here on BC, and that seemed to have no affect. Issues in a whole of what im having is unable to get internet connect, which i used tcp/ip repair program reinstalled drivers to the nic card ran HJT and multiple other protection programs. now my boss wont let me reformat because it will put our entire building down for days considering the pcs we have that need to be cleaned.

todays date is 3/3/06 and the time is 3:34 EST. if anyone has any insight please drop me a line.