Information Security Bulletin

Email Worm Deletes Data

30 Jan 06:52

Kaspersky Lab warns users against Email-Worm.Win32.Nyxem.e, which potentially poses a serious threat.

This malicious program spreads via the Internet as an attachment to infected messages, and also in files placed on open network resources. It's estimated that hundreds of thousands computers around the world are infected, and the number of infected machines is continuing to increase.

Nyxem.e's payload is triggered on the third of every month, when the worm will destroy data saved on the victim machine. The worm regularly checks the system time. When the system data is the third of the month, 30 minutes after the victim machine is booted, Nyxem will delete information from common file formats, replacing data with a meaningless set of symbols.

"Internet watchdogs are confirming Kaspersky Lab statistics - that is, significant numbers of computers are infected with Nyxem.e. February 3, 2006 could turn out to be a very difficult day with unprotected users losing data and the Internet community at large suffering from heavy traffic", predicts Eugene Kaspersky, Head of Research and Development at Kaspersky Lab. "All users should avoid launching email attachments that have not been scanned. They should also update their antivirus databases and then scan their computers to make sure that their machines are Nyxem free."

The worm itself is a Windows PE EXE file, approximately 95KB in size. The file arrives attached to an email which will have one of about 25 different subjects. The message body and attachment name will also vary, being chosen from among 20 possible variants, and this makes it more difficult to instantly identify an infected message.

The worm is activated when the user opens the attachment. Once the worm has been launched, it creates a Windows ZIP archive which will have the same name as the attachment, and then opens it. When installing itself to the system, the worm copies itself to the Windows root and system directories under a range of names. It also registers itself in the system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine.

The worm sends itself to email addresses harvested from the victim machine. In order to do this, it establishes a direct connection with the recipient's SMTP server. It also copies itself to shared network resources on the victim machine. This increases the spread of its potential reach.

The worm terminates processes connected with security solutions, and prevents them from being launched. Nyxem.e is also capable of downloading updates to itself via the Internet.

Related links: (Open in a new window.)
www.viruslist.com/en/viruses/encyclopedia?virusid=109064

View printable version (opens in new window)
Back

Search ISB News:

Not yet sure you want to subscribe? Download a free sample copy!

Download the much quoted October Editorial

Portal Frontpage
Web Editorial
About This Portal
Contact Info

IS Alerts
General News
Product News
Vendor News
People News
Literature
Events
CHI News

Subscribe Online
About ISB
Publishing in ISB
Advertising in ISB
PR Information

In the current issue:

Security Management
The Importance of Adaptability
Steve Purser

From the Trenches
Reversing Perimeter Defences – a Case Study
Søren Maigaard

Security Architectures
The Self Defending Network: New Trends In ICT Security Infrastructures
Drs. Ing. René Pluis

Subscribe Online!