Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Nyxem.e

Other versions: .a

Detection added Jan 17 2006
Update released Jan 24 2006 14:02 GMT
Description added Jan 24 2006
CME-ID CME-24
Behavior Email Worm

Technical details

This worm spreads via the Internet as an attachment to infected messages and via open network resources.

It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size.

Installation

Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g.

%System%\Sample.zip

When installing, the worm copies itself to the Windows root, system and start up directories under the following names:

%System%\New WinZip File.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
%Windir%\rundll16.exe

The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
 "ScanRegistry"="scanregw.exe /scan"

The worm also modifies the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
 "WebView"="0"
 "ShowSuperHidden"="0"

Propagation via email

The worm harvests addresses from files with the following extensions:

dbx
eml
htm
imh
mbx
msf
msg
nws
oft
txt
vc

It also scans files if the names contain the following strings:

content
temporary

When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server.

Infected messages

Message subject:

  • *Hot Movie*
  • A Great Video
  • Arab sex DSC-00465.jpg
  • eBook.pdf
  • Fuckin Kama Sutra pics
  • Fw:
  • Fw: DSC-00465.jpg
  • Fw: Funny :)
  • Fw: Picturs
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: Sexy
  • Fwd: Crazy illegal Sex!
  • Fwd: image.jpg
  • Fwd: Photo
  • give me a kiss
  • Miss Lebanon 2006
  • My photos
  • Part 1 of 6 Video clipe
  • Photos
  • Re:
  • Re: Sex Video
  • School girl fantasies gone bad
  • The Best Videoclip Ever
  • You Must View This Videoclipe!

Message body:

  • ----- forwarded message -----
  • >> forwarded message
  • forwarded message attached.
  • Fuckin Kama Sutra pics
  • hello, i send the file. Bye
  • Hot XXX Yahoo Groups
  • how are you? i send the details.
  • i attached the details. Thank you.
  • i just any one see my photos. It's Free :)
  • Note: forwarded message attached. You Must View This Videoclip!
  • Please see the file.
  • Re: Sex Video
  • ready to be FUCKED ;)
  • The Best Videoclip Ever
  • VIDEOS! FREE! (US$ 0,00)
  • What?

Attachment name:

  • 007.pif
  • 04.pif
  • 3.92315089702606E02.UUE
  • 677.pif
  • Attachments[001].B64
  • document.pif
  • DSC-00465.Pif
  • DSC-00465.pIf
  • eBook.PIF
  • eBook.Uu
  • image04.pif
  • New_Document_file.pif
  • Original Message.B64
  • photo.pif
  • School.pif
  • SeX.mim
  • WinZip.BHX
  • Word_Document.hqx
  • Word_Document.uu

Propagation via open network resources

The worm copies itself to the following network resources as Winzip_TMP.exe:

ADMIN$
C$

Other

If the worm detects any of the registry values listed below on the victim machine, it will delete them:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
APVXDWIN
avast!
AVG7_CC
AVG7_EMC
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
BearShare 
defwatch
DownloadAccelerator
kaspersky
KAVPersonal50
McAfeeVirusScanService
NAV Agent
OfficeScanNT Monitor
PCCClient.exe
pccguide.exe 
PCCIOMON.exe
PccPfw
Pop3trap.exe
rtvscn95
ScanInicio
SSDPSRV
TM Outbreak Agent
tmproxy
Vet Alert
VetTray 
vptray
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte

The worm also terminates active applications if the application name contains one of the following strings:

kaspersky 
mcafee 
norton 
removal 
scan 
symantec 
trend micro 
virus 
fix

It will delete all files from the following folders:

%ProgramFiles%\DAP\*.dll 
%ProgramFiles%\BearShare\*.dll 
%ProgramFiles%\Symantec\LiveUpdate\*.* 
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.* 
%ProgramFiles%\Norton AntiVirus\*.exe 
%ProgramFiles%\Alwil Software\Avast4\*.exe 
%ProgramFiles%\McAfee.com\VSO\*.exe 
%ProgramFiles%\McAfee.com\Agent\*.* 
%ProgramFiles%\McAfee.com\shared\*.* 
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe 
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe 
%ProgramFiles%\Trend Micro\Internet Security\*.exe 
%ProgramFiles%\NavNT\*.exe 
%ProgramFiles%\Morpheus\*.dll 
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl 
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe 
%ProgramFiles%\Grisoft\AVG7\*.dll 
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll 
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe 
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar

All of this actions make the victim machine more vulnerable to subsequent attacks.

It may also download updates to itself via the Internet, without the knowledge or consent of the user.

It will also block the mouse and the keyboard.

On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions:

.doc 
.xls 
.mdb 
.mde 
.ppt 
.pps 
.zip 
.rar 
.pdf 
.psd 
.dmp

Files corrupted by the worm contain the following text:

DATA Error [47 0F 94 93 F4 F5]
Removal instructions
  1. Reboot your computer in Safe Mode - press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears.
  2. In Task Manager, terminate any process with one of the following names: 
    rundll16.exe
scanregw.exe
Update.exe
Winzip.exe
WINZIP_TMP.EXE 
New WinZip File.exe
WinZip Quick Pick.exe
  3. Manually delete the following files from the Windows root and system directories, and the system registry: 
    %Windir%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE 
%System%\New WinZip File.exe
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
  4. Delete the following value from the system registry: 
    [HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "scanregw.exe /scan"
  5. Reboot your computer and check you have deleted all infected messages from all mail folders.
  6. If any applications have been damanged (in most cases this will be antivirus solutions and firewall programs) you will need to re-install them.
  7. Perform a full scan of your computer (download a trial version of Kaspersky Anti-Virus here
 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com