Win32.Nyxem.E@mm( Email-Worm.Win32.Nyxem.e, W32/Nyxem-D, WORM_GREW.A, W32/MyWife.d@MM )
SYMPTOMS: [Warning] On the 3rd of every month, the virus will overwrite all files that have the extensions found below in the technical description. - Presence of any of the next files in %WINDOWS% folder: TECHNICAL DESCRIPTION: This threat comes by e-mail. It is written in Visual Basic, and is compiled in p-code.It spreads via e-mail as a mass mailer using it's own SMTP engine and also through network shares. Has a dangerous payload, as on the 3rd of each month, 30 minutes after the system has been started, searches for files with the following extension .dmp .doc .mdb .mde .pdf .pps .ppt .psd .rar .xls .zip on all available drives, and replaces their content with "DATA Error [47 0F 94 93 F4 K5]" The e-mail format is as follows: Subject: (may be one of the following) *Hot Movie* A Great Video eBook.pdf Fw: Fw: DSC-00465.jpg Fw: Funny :) Fw: Picturs Fw: Real show Fw: SeX.mpg Fw: Sexy Fwd: Crazy illegal Sex! Fwd: image.jpg Fwd: Photo give me a kiss Miss Lebanon 2006 My photos Part 1 of 6 Video clipe Photos Re: Re: Sex Video School girl fantasies gone bad the file Word file Body: (may be one of the following, or a composition i) ----- forwarded message ----- >> forwarded message bye F**kin Kama Sutra pics forwarded message attached. hello, hi Hot XXX Yahoo Groups how are you? i attached the details. i just any one see my photos. i send the details i send the details. i send the file. It's Free :) Note: forwarded message attached. OK ? Please see the file. ready to be F**KED ;) Thank you The Best Videoclip Ever VIDEOS! FREE! (US$ 0,00) What? You Must View This Videoclip! Note: for instance, the (composed) body may be : hello, i send the details Attachment (may be an executable or a MIME-encoded executable) 007.pif 04.pif 677.pif Arab sex DSC-00465.jpg document.pif DSC-00465.Pif DSC-00465.pIf eBook.PIF image04.pif New_Document_file.pif photo.pif School.pif If the file is MIME-encoded, the attachment may be: 3.92315089702606E02.UUE Attachments[001].B64 Attachments00.HQX Attachments001.BHX eBook.Uu SeX.mim Sex.mim Video_part.mim WinZip.BHX Word_Document.hqx Word_Document.uu In MIME-encoded form, the attachment may also be composed from a predefined list of strings, so filename may be: 392315089702606E-02 Clipe Miss Sweet_09 and extension may be any of: .b64 .BHx .HQX .mim .uu .UUE The the executable within MIME-encoded file may be: 392315089702606E-02,UUE .scR Adults_9,zip .sCR ATT01.zip .sCR Atta[001],zip .SCR Attachments,zip .SCR Attachments[001],B64 .sCr Clipe,zip .sCr New Video,zip .sCr Photos,zip .sCR SeX,zip .scR WinZip,zip .scR WinZip.zip .sCR Word XP.zip .sCR Word.zip .sCR Once the executable is run (attachment from e-mail or other way), the virus will do the following: 1. Copies itself as one or more of the following files: (also see symptoms above) %WINDOWS%\Rundll16.exe %SYSTEM%\scanregw.exe %SYSTEM%\Update.exe %SYSTEM%\Winzip.exe 2. Creates autorun registry entry: [HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%SYSTEM%\scanregw.exe /scan"] 3. Modifies/sets the registry keys: [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] "WebView" = 0 "ShowSuperHidden" = 0 [HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState] "FullPath" = 1 4. Harvests e-mail addresses from files with extension: .DBX .EML .HTM .IMH .MBX .MSF .MSG .NWS .OFT .TXT .VCF also scans inside files whose filenames match the strings "CONTENT." or "TEMPORARY" for e-mail addresses, but avoids e-mail addresses that contain: @HOTMAIL @HOTPOP @YAHOOGROUPS ANTI AVG CA.COM CILLIN EEYE GROUPS.MSN KASPER MCAFEE MICROSOFT NOMAIL.YAHOO.COM NORTON PANDA SCRIBE SECUR SPAM SYMANTEC TREND TRUST VIRUS The virus will send itself to the harvested e-mail addresses in the format described earlier. 5. Network shares scan and propagation. Enumerates available shares, and also checks "Personal" and "Recent" entries in [HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders] The virus may replace randomly one of the files from the found folders, with a copy of itself, barring .exe extension. Attempts to copy itself to network shares as: New WinZip File.exe Zipped Files.exe movies.exe WINZIP_TMP.exe Also as C$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe and deletes C$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnk Also, attempts to delete files from folders: \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus \C$\Program Files\Common Files\symantec shared \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro \C$\Program Files\McAfee.com\Agent \C$\Program Files\McAfee.com\shared \C$\Program Files\McAfee.com\VSO \C$\Program Files\NavNT \C$\Program Files\Norton AntiVirus \C$\Program Files\Panda Software\Panda Antivirus 6.0 \C$\Program Files\Panda Software\Panda Antivirus Platinum \C$\Program Files\Symantec\LiveUpdate \C$\Program Files\Trend Micro\Internet Security \C$\Program Files\Trend Micro\PC-cillin 2002 \C$\Program Files\Trend Micro\PC-cillin 2003 6. Attempts to delete files from "Program Files" inside the following folders: \DAP\*.dll \BearShare\*.dll \Symantec\LiveUpdate\*.* \Symantec\Common Files\Symantec Shared\*.* \Norton AntiVirus\*.exe \Alwil Software\Avast4\*.exe \McAfee.com\VSO\*.exe \McAfee.com\Agent\*.* \McAfee.com\shared\*.* \Trend Micro\PC-cillin 2002\*.exe \Trend Micro\PC-cillin 2003\*.exe \Trend Micro\Internet Security\*.exe \NavNT\*.exe \Morpheus\*.dll \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe \Grisoft\AVG7\*.dll \TREND MICRO\OfficeScan\*.dll \Trend Micro\OfficeScan Client\*.exe \LimeWire\LimeWire 4.2.6\LimeWire.jar and also \HyperTechnologies\Deep Freeze\*.exe the virus also looks for registry keys: Software\INTEL\LANDesk\VirusProtect6\CurrentVersion SOFTWARE\Symantec\InstalledApps SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum in order to delete various files. 7. Terminates applications whose caption contain any of the strings: SYMANTEC SCAN KASPERSKY VIRUS MCAFEE TREND MICRO NORTON REMOVAL 8. Deletes registry entries from: [Software\Microsoft\Windows\CurrentVersion\Run] [Software\Microsoft\Windows\CurrentVersion\RunServices] that contain the following strings: APVXDWIN avast! AVG_CC AVG7_CC AVG7_EMC AVG7_Run Avgserv9.exe AVGW BearShare ccApp CleanUp defwatch DownloadAccelerator kaspersky KAVPersonal50 McAfeeVirusScanService MCAgentExe McRegWiz MCUpdateExe McVsRte MPFExe MSKAGENTEXE MSKDetectorExe NAV Agent NPROTECT OfficeScanNT Monitor PCCClient.exe pccguide.exe PCCIOMON.exe PCCIOMON.exe PCClient.exe PccPfw Pop3trap.exe rtvscn95 ScanInicio ScriptBlocking SSDPSRV TM Outbreak Agent tmproxy Vet Alert VetTray VirusScan Online vptray VSOCheckTask 9. Notifies the author for infection, by connecting to: "http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=?????" 10. May display a tray icon in systray, saying "Update Please wait", and also attempt to download an update of itself. Additional notes: - the virus also carries an upx packed version of MSWINSCK.OCX, which will register using "regsvr32 /s MSWINSCK.OCX" command. - the virus may block acces to "http://www.microsoft.com" Removal instructions: - use the free removal tool from BitDefender- automatic removal: let BitDefender delete/disinfect files found infected. ANALYZED BY: Patrik Vicol, virus researcher |