Jump to content


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.

Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.


3rd Of Month Is Coming, Don't Lose Your Data

  • Please log in to reply
7 replies to this topic

#1 Papakid


    Guru at being a Newbie

  • Malware Response Team
  • 6,663 posts
  • Gender:Male
  • Local time:10:27 PM

Posted 30 January 2006 - 12:41 PM

Quoting Kaspersky Lab's warning bulletin received via email:

A dangerous email worm deletes data from infected machines on the 3rd of
every month...

Email-Worm.Win32.Nyxem.e...spreads via
the Internet as an attachment to infected messages, and also in files
placed on open network resources. It's estimated that hundreds of
thousands computers around the world are infected, and the number of
infected machines is continuing to increase.

Nyxem.e's payload is triggered on the third of every month, when the
worm will destroy data saved on the victim machine. The worm regularly
checks the system time. When the system data is the third of the month,
30 minutes after the victim machine is booted, Nyxem will delete
information from common file formats, replacing data with a meaningless
set of symbols.

KAV's description:

More info:

there are in excess of 400,000 machines infected at this time.


As is common, different antivirus vendors have their own names for the same infection. Sophos has the most complete list of aliases that I've seen.

* Email-Worm.Win32.VB.bi
* CME-24
* W32.Blackmal.E@mm
* W32/Tearec.A.worm
* Email-Worm.Win32.Nyxem.e
* W32/MyWife.d@MM

What to do:

Eugene Kaspersky's advice:

"All users should avoid launching email attachments that
have not been scanned. They should also update their antivirus databases
and then scan their computers to make sure that their machines are Nyxem


The worm terminates processes connected with security solutions, and
prevents them from being launched. Nyxem.e is also capable of
downloading updates to itself via the Internet.

If you have problems getting your AV solution to run correctly or have other reason to believe you are infected, F-Secure has a special disinfection utility called F-Force--use at your own risk:

We always did feel the same

We just started from a different point of view

Tangled up in blue--Bob Dylan

BC AdBot (Login to Remove)


#2 quietman7


    Bleepin' Janitor

  • Global Moderator
  • 52,056 posts
  • Gender:Male
  • Location:Virginia, USA
  • Local time:11:27 PM

Posted 01 February 2006 - 08:55 AM

First reports of Nyxem damage

The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time - even though the official activation time is the 3rd of the month. We've already received first reports from users who've had files on their system overwritten by the worm.

When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you're taking daily automatic backups you might end up backing up the corrupted files over good files.

We have a free tool available to help disinfect machines before the deadline passes.

Kama Sutra email worm advice

Symantec W32.Blackmal@mm Removal Tool

Edited by quietman7, 01 February 2006 - 12:59 PM.

Windows Insider MVP 2017-2018
Microsoft MVP Reconnect 2016
Microsoft MVP Consumer Security 2007-2015 kO7xOZh.gif
Member of UNITE, Unified Network of Instructors and Trusted Eliminators

If I have been helpful & you'd like to consider a donation, click 38WxTfO.gif

#3 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:05:27 AM

Posted 01 February 2006 - 02:20 PM

I stumbled across this UK bbc alert:


#4 phawgg


    Learning Daily

  • Members
  • 4,543 posts
  • Location:Washington State, USA
  • Local time:08:27 PM

Posted 02 February 2006 - 05:42 AM

This one hit network news in the Seattle/Tacoma area this evening.
It was reported on in some depth, which is somewhat unusual for these program's typical format.
I personally think it was presented somewhat "sensationally",
with a "tag-team" pair of newspeople splitting the duty of reading the text ...
with it seeming to be a "hang onto your hat a big one is coming your way!" sorta thing,
but at least it accomplishs the result of continuing to make the viewing public aware of internet concerns in general.

The online text:
patiently patrolling, plenty of persisant pests n' problems ...

#5 Daisuke


    Cleaner on Duty

  • Members
  • 5,575 posts
  • Gender:Male
  • Location:Romania
  • Local time:11:27 PM

Posted 02 February 2006 - 05:47 PM

F-Secure played with their "WORLDMAP technology":

Everyday is virus day. Do you know where your recovery CDs are ?
Did you create them yet ?

Posted Image

#6 t3s


  • Members
  • 628 posts
  • Gender:Male
  • Location:Somewhere in MD
  • Local time:11:27 PM

Posted 02 February 2006 - 07:38 PM

It just hit the new here in Maryland as well. Shortly after seeing it myself I got A call from A friend warning me about it. Apparently everyone is being instructed to turn off their pc's.

“Technology does not drive change -- it enables change.”


"I'm a cannibal... I eat Crackers"


Hacker != Cracker


website is down until further notice. . . . 

#7 salshroom


  • Members
  • 30 posts
  • Local time:11:27 PM

Posted 03 February 2006 - 03:36 PM

My networked PC at my job are infected with these viruses. the nyxem.e virus. along iwth others. i checked around the net to find this site to prove the most help so far.

I did all of what the site says except being unable to reinstall the norton internet security package i have been trying to install. it seemingly goes the the installation and never finishes. ive downloaded and used the f-force program that was listed here on BC, and that seemed to have no affect. Issues in a whole of what im having is unable to get internet connect, which i used tcp/ip repair program reinstalled drivers to the nic card ran HJT and multiple other protection programs. now my boss wont let me reformat because it will put our entire building down for days considering the pcs we have that need to be cleaned.

todays date is 3/3/06 and the time is 3:34 EST. if anyone has any insight please drop me a line.

#8 -David-


  • Members
  • 10,603 posts
  • Gender:Male
  • Location:London
  • Local time:05:27 AM

Posted 05 February 2006 - 04:27 PM

Hi salshroom

Symantec have a removal tool i believe:


Does this help?


0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users