- Date January 24, 2006
- Author: Joe Stewart
Analysis
The email worm known as BlackWorm/Nyxem/Blackmal/Blueworm/Grew is scheduled to delete (actually overwriting with a small text message) certain file types on Feb 3, 2006.
We have been tracking the worldwide infections of this worm by means of a web stats counter the worm reports infections to. Currently it is at 679,000, but has tapered off in the last day or so. Even though this seems like a large number, as email viruses go, it is not a major threat in terms of email volume. The threat posed by this worm is the overwriting of files which is scheduled to occur on February 3, 2006. The file types in question are DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.
Update:
January 26, 2006 - Additional analysis has shown the actual infection count to be closer to 300,000 worldwide.
More information about the functions performed by this worm can be found at:
http://www.f-secure.com/v-descs/nyxem_e.shtml
Solution
In most cases, blocking executable and unknown file types at the email gateway is enough to prevent the worm from entering a network. The attachments sent by the worm may contain the following extensions: pif, scr, mim,uue, hqx, bhx, b64, and uu.
SecureWorks has deployed the following Snort signatures to detect infections of the worm:
alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)"; content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|"; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:1000376; rev:1;)
alert tcp any any -> any 80 (msg:"Agentless HTTP request to www.microsoft.com (possible BlackWorm infection)"; dsize:92; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|"; classtype:misc-activity; sid:1000377; rev:1;)
At this time we have seen almost no infections across our customer base using our IDS platform and these signatures. Networks which utilize up-to-date desktop antivirus on all machines should experience no problems, however the worm does attempt to disable AV and security software, so advising users to test their AV may also be in order. If the AV refuses to run, it may be an indication of infection by this or another worm.
It is important to note that although the worm enters a network as an email attachment, once a machine is infected, it will attempt to copy itself to open MS network C or Admin shares as WINZIP_TMP.exe, so machines without email access could still be affected. If you have any of these shares open on your network, searching for this file name on the shares is a good way to tell if anyone has been infected.