'Nyxem.e' is a mass-mailing worm that carries a "nuclear option" payload that corrupts data in popular file formats, it also spreads using remote shares.
It accounts for 1 out of every 15 pieces of malicious code. It is similar to the 'Email-Worm.Win32.VB.bi' that was found a few days ago.
F-Secure disclosed that Nyxem.e worm, carries code that instructs it to replace data in files with .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, or .dmp extensions with the useless string "DATA Error [47 0F 94 93 F4 K5]" on the third of the month.
The viciousness of the worm can also be gauged by the fact that it tries delete selected security software. It also spreads through shared folders and by addresses hijacked from infected PCs.
The way the mails arrive have lead various security sites to dub it as 'kama sutra worm'. It arrives as an attachment to e-mail messages with a variety of subject headlines, many of which tout porn with phrases like "Arab sex," "give me a kiss," "Hot Movie," and "F***** Kama Sutra pics."
Details about the worm :
Nyxem.E is written in Visual Basic and is compiled as p-code. The size of the main executable is about 95 kilobytes. When executed the worm, it first copies itself to several locations.
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"ScanRegistry" = "%System%\scanregw.exe /scan
Details about the extensions infected & mail headers :
Payload :
The worm has a dangerous payload. On every 3rd day of a month after the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives, The file contents get replaced with a text string "DATA Error [47 0F 94 93 F4 K5]".
The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage. At the moment the counter is close to 400000.
TechEncalve Advise :
___________________________
Update :
The worm 'Nyxem.e' is scheduled to create havoc on 3rd February.
The worm was accounting for about 35 percent of virus traffic as of Monday morning. It seems, the worm is still spreading, albeit a bit more slowly.
The fact is, it is still gaining ground and with the payload it is carrying it can cause wide spread damage by overwriting your crucial microsoft and adobe documents.
"On Friday the counter was at 270,000," said Hypponen, "but early Monday, it was at 680,000. That's 400,000 PCs that have been infected in one weekend."
Also Known As :
W32.Blackmal.E@mm[Symantec], WORM_GREW.{A, B} [Trend Micro], W32/Nyxem-D [Sophos], W32/MyWife.d@MM [McAfee], Email-Worm.Win32.VB.bi, Email-Worm.Win32.Nyxem.e [F-Secure], W32/Small.KI@mm [Norman], Win32/Blackmal.F [Computer Associates], Tearec.A [Panda Software]
Systems Affected :
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Norton has released a removal tool :
To download the removal tool click here.
__________________________
Just In :
'Nyxem.e' fools windows by spoofing digital certificates.
The security threat posed by worm 'Nyxem.e' has just gone up the roof because of a new finding made by the security company Fortinet.
It seems the worm fools windows into accepting malicious activex control's by spoofing digital certificates.
It achieves this by adding 18 entries to the Windows Registry which helps the ActiveX control slip through the operating system's defences. In another words by adding those registry entries it makes the control look like 'safe' and 'digitally signed' in eyes of the operating system.
"If a worm puts a fake certificate on an infected machine, MITM [Man-In-The-Middle] attacks become extremely easy.
______________________________
Update :
Kama Sutra worm hits India, Peru hardest
India has the infamous honour of topping the list, with nearly 80,000 infected PCs. Peru, which came in second, sports almost 55,000 compromised computers.
In comparison, the United States has about 15,000 machines contaminated with the worm.
"Viruses don't always spread uniformly," LURHQ said in its report. "There are many factors at play which are hard to quantitise, such as the initial seeding, social engineering, AV deployment, and random chance. And, as with all statistics, take [these] with a grain of salt."
LURHQ tagged the total number of Blackworm-infected computers at around 300,000  a number bandied about last week  even though a web-based infection counter claims a number in the millions. LURHQ, however, was able to strip out bogus "clicks" on that counter to arrive at is estimate.
"An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers," said LURHQ.
TE Suggestion :
____________________________
Just In :
Microsoft not to issue Kama Sutra Fix before Feb 3rd
Microsoft Monday posted a security advisory on the KamaSutra/Blackworm/MyWife/Nyxem.e worm that's set to overwrite Office documents on infected PCs Friday.
Microsoft has decided against updating its Windows Malicious Software Removal Tool before the next regularly-scheduled release of Feb. 14.
Microsoft offered no explanation why the tool wouldn't be updated earlier.
Both the company's free online security service, Windows Live Safety, and its in-beta OneCare Live software, however, will disinfect compromised computers, Microsoft said.
_________________________
Final Countdown :
Worm already hits systems with wrongly set clock's
Kama Sutra worm has begun thrashing files on infected machines with incorrectly set system clocks. Even though the worm is programmed to first delete files on infected machines on Friday (February 3), its deadline is based on the clock of infected Windows PCs.
F-Secure says it has already received two reports from users who've had files on their system overwritten by the worm.
This old-school "trash your Windows PC" worm has infected an estimated 600,000 machines, with the US, India and Peru having the greatest number of infected machines
One US firm alone is responsible for around 75,000 infection hits, according to an analysis by security firm LURHQ.
Removal Tools :
________________________________________
Update :
Worm has minimal impact :
Many users of infected machines have cleaned up their act, according to Messagelabs.
The worm is likely to have affected home users' machines anyway, given that small, medium and large organisations appear to have learned their lesson from previous exploits.
It estimates the worm is currently live on 20,000 IP addresses, suggesting 20,000 individual home users or organisations worldwide are currently infected by Kama Sutra, a big fall from earlier this week. MessageLabs has seen worm 'clean-up' from approximately 11,000 IP addresses a day.
However, this virus writer did do one good thing, intentionally or not, he or she provided a two week window before activation of the payload to destroy data. This has allowed many smart computer users and businesses an opportunity to disinfect their machines and hopefully take protective measures".
Nevertheless, and according to reports, the Kama Sutra worm forced the municipality of Milano to turn off 10,000 machines.
We are hopeful that this does not indicate a return to destructive, nuisance viruses.
Naming :
The Nyxem virus family that spawned Kama Sutra (AKA Nyxem-E) made its debut in March 2004. The first worm in the series launched a DDoS attack against the "New York Mercantile Exchange" website (www.nymex.com). The motive and perpetrator of the virus series remains unknown.
________________________________
Update :
Not Overhyped after all, stats out :
Although the Nyxem.e worm was found to have caused very little actual damage, researchers estimate that the worm in total infected between 469,507 and 946,835 systems between 15 January and 1 February.
The worm is considered a rare specimen because an infected system contacted a website for a single time, providing both the worm author and security researchers with information about its proliferation.
Two researchers from the Coopoerative Association for Internet Data Analysis (CAIDA) studied the visitor logs and corrected for outside visitors landed at the figure of at least 469,507 infections. The team was made up of CAIDA's technical director David Moore and Colleen Shannon, a senior security researcher.
Based on the lowest infection count, Nyxem.e claimed most of its victims in India (32.2 per cent), followed by Peru (18.7 per cent), Italy (8.1 per cent), Turkey (6.0 per cent) and the US (5.6 per cent), the data showed.
"Our estimates of the total number of victims of Nyxem.e are an order of magnitude less than estimates of the spread of other email viruses," the duo concluded.
They credited the broad attention for the worm in curbing the online pest and cleaning up many systems before it could do its destructive work. There were only few reports of users losing data, although they asserted that the full extent of the damage will likely never be known.
The limited number of damage reports had caused speculations that the security sector or media had overhyped Nyxem.e's threat. But the number of infections appears to justify the attention for the worm.
The researchers however warned that users shouldn't claim victory just yet. There has been a significant cost to users and organisations in scanning and cleaning up systems. The worm also continues to pose a risk, as it is set to activate again on 3 March.
It accounts for 1 out of every 15 pieces of malicious code. It is similar to the 'Email-Worm.Win32.VB.bi' that was found a few days ago.
F-Secure disclosed that Nyxem.e worm, carries code that instructs it to replace data in files with .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, or .dmp extensions with the useless string "DATA Error [47 0F 94 93 F4 K5]" on the third of the month.
The viciousness of the worm can also be gauged by the fact that it tries delete selected security software. It also spreads through shared folders and by addresses hijacked from infected PCs.
The way the mails arrive have lead various security sites to dub it as 'kama sutra worm'. It arrives as an attachment to e-mail messages with a variety of subject headlines, many of which tout porn with phrases like "Arab sex," "give me a kiss," "Hot Movie," and "F***** Kama Sutra pics."
Details about the worm :
Nyxem.E is written in Visual Basic and is compiled as p-code. The size of the main executable is about 95 kilobytes. When executed the worm, it first copies itself to several locations.
- %Windows%\rundll16.exe
- %System%\scanregw.exe
- %System%\Update.exe
- %System%\Winzip.exe
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]"ScanRegistry" = "%System%\scanregw.exe /scan
Details about the extensions infected & mail headers :
Payload :
The worm has a dangerous payload. On every 3rd day of a month after the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives, The file contents get replaced with a text string "DATA Error [47 0F 94 93 F4 K5]".
- *.doc
- *.xls
- *.mdb
- *.mde
- *.ppt
- *.pps
- *.zip
- *.rar
- *.psd
- *.dmp
- .HTM
- .DBX
- .EML
- .MSG
- .OFT
- .NWS
- .VCF
- .MBX
- .IMH
- .TXT
- .MSF
- The Best Videoclip Ever
- School girl fan***** gone bad
- A Great VideoF****
- Kama Sutra pics
- Arab ***
- DSC-00465.jpg
- give me a ki***Hot Movie*
- Fw: Funny
- Fwd: Photo
- Fwd: image.jpg
- Fw: Sexy
- Re:
- Fw:
- Fw: Picturs
- Fw: DSC-00465.jpg
- Word file
- eBook.pdf
- the file
- Part 1 of 6 Video clipe
- You Must View This Videoclip!
- Miss Lebanon 2006
- Re: S** Video
- My photos
The worm has an interesting feature. When it infects a computer it opens a web browser on a certain webpage. This increments the counter on that webpage. At the moment the counter is close to 400000.
TechEncalve Advise :
- To avoid being infected, it is best not to download or open mails with the above headers & attachments.
- Update signatures of your Antivirus & Antispyware programs.
- Always scan your mail attachment's before opening them.
___________________________
Update :
The worm 'Nyxem.e' is scheduled to create havoc on 3rd February.
The worm was accounting for about 35 percent of virus traffic as of Monday morning. It seems, the worm is still spreading, albeit a bit more slowly.
The fact is, it is still gaining ground and with the payload it is carrying it can cause wide spread damage by overwriting your crucial microsoft and adobe documents.
"On Friday the counter was at 270,000," said Hypponen, "but early Monday, it was at 680,000. That's 400,000 PCs that have been infected in one weekend."
Also Known As :
W32.Blackmal.E@mm[Symantec], WORM_GREW.{A, B} [Trend Micro], W32/Nyxem-D [Sophos], W32/MyWife.d@MM [McAfee], Email-Worm.Win32.VB.bi, Email-Worm.Win32.Nyxem.e [F-Secure], W32/Small.KI@mm [Norman], Win32/Blackmal.F [Computer Associates], Tearec.A [Panda Software]
Systems Affected :
Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
Norton has released a removal tool :
To download the removal tool click here.
__________________________
Just In :
'Nyxem.e' fools windows by spoofing digital certificates.
The security threat posed by worm 'Nyxem.e' has just gone up the roof because of a new finding made by the security company Fortinet.
It seems the worm fools windows into accepting malicious activex control's by spoofing digital certificates.
It achieves this by adding 18 entries to the Windows Registry which helps the ActiveX control slip through the operating system's defences. In another words by adding those registry entries it makes the control look like 'safe' and 'digitally signed' in eyes of the operating system.
"If a worm puts a fake certificate on an infected machine, MITM [Man-In-The-Middle] attacks become extremely easy.
______________________________
Update :
Kama Sutra worm hits India, Peru hardest
India has the infamous honour of topping the list, with nearly 80,000 infected PCs. Peru, which came in second, sports almost 55,000 compromised computers.
In comparison, the United States has about 15,000 machines contaminated with the worm.
"Viruses don't always spread uniformly," LURHQ said in its report. "There are many factors at play which are hard to quantitise, such as the initial seeding, social engineering, AV deployment, and random chance. And, as with all statistics, take [these] with a grain of salt."
LURHQ tagged the total number of Blackworm-infected computers at around 300,000  a number bandied about last week  even though a web-based infection counter claims a number in the millions. LURHQ, however, was able to strip out bogus "clicks" on that counter to arrive at is estimate.
"An attempt was made by an unknown party to artificially inflate the counter using a set of 279 distributed (presumably compromised) computers," said LURHQ.
TE Suggestion :
- The worm is set to erase files on Feb 3rd, update your virus signatures and scan your systems thoroughly so as not to regret it later.
- You can also run the standalone removal tool by Norton :
To download the removal tool click here.
____________________________
Just In :
Microsoft not to issue Kama Sutra Fix before Feb 3rd
Microsoft Monday posted a security advisory on the KamaSutra/Blackworm/MyWife/Nyxem.e worm that's set to overwrite Office documents on infected PCs Friday.
Microsoft has decided against updating its Windows Malicious Software Removal Tool before the next regularly-scheduled release of Feb. 14.
Microsoft offered no explanation why the tool wouldn't be updated earlier.
Both the company's free online security service, Windows Live Safety, and its in-beta OneCare Live software, however, will disinfect compromised computers, Microsoft said.
_________________________
Final Countdown :
Worm already hits systems with wrongly set clock's
Kama Sutra worm has begun thrashing files on infected machines with incorrectly set system clocks. Even though the worm is programmed to first delete files on infected machines on Friday (February 3), its deadline is based on the clock of infected Windows PCs.
F-Secure says it has already received two reports from users who've had files on their system overwritten by the worm.
This old-school "trash your Windows PC" worm has infected an estimated 600,000 machines, with the US, India and Peru having the greatest number of infected machines
One US firm alone is responsible for around 75,000 infection hits, according to an analysis by security firm LURHQ.
Removal Tools :
________________________________________
Update :
Worm has minimal impact :
Many users of infected machines have cleaned up their act, according to Messagelabs.
The worm is likely to have affected home users' machines anyway, given that small, medium and large organisations appear to have learned their lesson from previous exploits.
It estimates the worm is currently live on 20,000 IP addresses, suggesting 20,000 individual home users or organisations worldwide are currently infected by Kama Sutra, a big fall from earlier this week. MessageLabs has seen worm 'clean-up' from approximately 11,000 IP addresses a day.
However, this virus writer did do one good thing, intentionally or not, he or she provided a two week window before activation of the payload to destroy data. This has allowed many smart computer users and businesses an opportunity to disinfect their machines and hopefully take protective measures".
Nevertheless, and according to reports, the Kama Sutra worm forced the municipality of Milano to turn off 10,000 machines.
We are hopeful that this does not indicate a return to destructive, nuisance viruses.
Naming :
The Nyxem virus family that spawned Kama Sutra (AKA Nyxem-E) made its debut in March 2004. The first worm in the series launched a DDoS attack against the "New York Mercantile Exchange" website (www.nymex.com). The motive and perpetrator of the virus series remains unknown.
________________________________
Update :
Not Overhyped after all, stats out :
Although the Nyxem.e worm was found to have caused very little actual damage, researchers estimate that the worm in total infected between 469,507 and 946,835 systems between 15 January and 1 February.
The worm is considered a rare specimen because an infected system contacted a website for a single time, providing both the worm author and security researchers with information about its proliferation.
Two researchers from the Coopoerative Association for Internet Data Analysis (CAIDA) studied the visitor logs and corrected for outside visitors landed at the figure of at least 469,507 infections. The team was made up of CAIDA's technical director David Moore and Colleen Shannon, a senior security researcher.
Based on the lowest infection count, Nyxem.e claimed most of its victims in India (32.2 per cent), followed by Peru (18.7 per cent), Italy (8.1 per cent), Turkey (6.0 per cent) and the US (5.6 per cent), the data showed.
"Our estimates of the total number of victims of Nyxem.e are an order of magnitude less than estimates of the spread of other email viruses," the duo concluded.
They credited the broad attention for the worm in curbing the online pest and cleaning up many systems before it could do its destructive work. There were only few reports of users losing data, although they asserted that the full extent of the damage will likely never be known.
The limited number of damage reports had caused speculations that the security sector or media had overhyped Nyxem.e's threat. But the number of infections appears to justify the attention for the worm.
The researchers however warned that users shouldn't claim victory just yet. There has been a significant cost to users and organisations in scanning and cleaning up systems. The worm also continues to pose a risk, as it is set to activate again on 3 March.
