Sophos

W32/Nyxem-D

Aliases
  • Email-Worm.Win32.VB.bi
  • CME-24
  • WORM_GREW.A
  • W32.Blackmal.E@mm
  • W32/Tearec.A.worm
  • Email-Worm.Win32.Nyxem.e
  • W32/MyWife.d@MM
  • Win32/Mywife.E@mm
  • WORM_NYXEM.E
Category
Type
What to do
Prevalence low high

Summary

 
Affected operating systems Windows
Characteristics
  • Installs itself in the registry
Included in our products from August 2007 (4.20)
Protection available since 16 January 2006 16:03:20 (GMT)
Last updated 14 June 2007 13:10:08 (GMT)
Detected by All Sophos products

Action

If you are running Sophos Anti-Virus for Windows, version 6.0, you should follow our instructions for removing worms.

If you use any of our other products please read the instructions for removing W32/Nyxem variants.

More Information

W32/Nyxem-D is an email and network worm for the Windows platform.

W32/Nyxem-D may open an empty dropped ZIP file in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar with the text "Update Please wait" if it detects the presence of anti-virus software. W32/Nyxem-D may also attempt to close windows, terminate programs, remove registry entries and delete files related to security and anti-virus programs.

W32/Nyxem-D sends itself to email addresses it harvests from files on the infected computer, sending itself as if from one contact to another. The emails sent have the following characteristics:

Subject lines include the following, or may be blank:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

Message bodies include the following, and may contain images that cannot be displayed:

----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?

Attachments may be executable files or mime files containing executable files. Executable attachment filenames include the following:

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Mime attachment filenames include the following:

3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

Mime attachment filenames also include the following:

392315089702606E-02
Clipe
Miss
Photos
Sweet_09

with one of the following extensions:

.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE

If the attachment is a mime file, it contains a file with one of the following filenames followed by several spaces and an SCR extension:

392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords. W32/Nyxem-D is an email and network worm for the Windows platform.

W32/Nyxem-D copies itself with some of the following filenames:

<Windows>\Rundll16.exe
<System>\scanregw.exe
<System>\Winzip.exe
<System>\Update.exe
<System>\WinZip_Tmp.exe
<System>\New WinZip File.exe
movies.exe
Zipped Files.exe

W32/Nyxem-D sets the following registry entry to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan

W32/Nyxem-D also sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
WebView
0

W32/Nyxem-D may modify registry values under the following locations:

HKCU\Control Panel\BMale
HKCU\Control Panel\DNS

W32/Nyxem-D may drop an empty file to the Windows system folder with the same name as itself but with a ZIP extension and attempts to open it in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar with the text "Update Please wait" if it detects the presence of anti-virus software. W32/Nyxem-D may also attempt to close windows, terminate programs, remove registry entries and delete files related to security and anti-virus programs.

The W32/Nyxem-D worm examines the computer's hard disk and looks for email addresses in files that have any of the following extensions:

DBX
EML
HTM
IMH
MBX
MSF
MSG
OFT
TXT
VCF

W32/Nyxem-D sends itself to email addresses it harvests from files on the infected computer, sending itself as if from one contact to another. The emails sent have the following characteristics:

Subject lines include the following, or may be blank:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

Message bodies include the following, and may contain images that cannot be displayed:

----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?

Attachments may be executable files or mime files containing executable files. Executable attachment filenames include the following:

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Mime attachment filenames include the following:

3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

Mime attachment filenames also include the following:

392315089702606E-02
Clipe
Miss
Photos
Sweet_09

with one of the following extensions:

.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE

If the attachment is a mime file, it contains a file with one of the following filenames followed by several spaces and an SCR extension:

392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords using the name WINZIP_TMP.exe.

W32//Nyxem-D has a payload that is activated on the 3rd day of the month, containing functionality which includes the following:

- destroying the following files by replacing their contents with the "DATA Error [47 0F 94 93 F4 K5]" string

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

- disabling the following anti-virus and security applications by closing correspondingly named windows:

SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX

- disabling a number of anti-virus and security applications by deleting the corresponding startup registry entries under the following entries:

Software\Microsoft\Windows\CurrentVersion\Run
Software\Microsoft\Windows\CurrentVersion\RunServices

if they match the following string values:

NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
VSOCheckTask
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare

- deleting installation files from folders gathered by searching the following registry entries:

Software\INTEL\LANDesk\VirusProtect6\CurrentVersion
SOFTWARE\Symantec\InstalledApps
SOFTWARE\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal
SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe
SOFTWARE\KasperskyLab\Components\101
SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platin

- deleting a number of files by searching for the following:

\DAP\*.dll
\BearShare\*.dll
\Symantec\LiveUpdate\*.*
\Symantec\Common Files\Symantec Shared\*.*
\Norton AntiVirus\*.exe
\Alwil Software\Avast4\*.exe
\McAfee.com\VSO\*.exe
\McAfee.com\Agent\*.*
\McAfee.com\shared\*.*
\Trend Micro\PC-cillin 2002\*.exe
\Trend Micro\PC-cillin 2003\*.exe
\Trend Micro\Internet Security\*.exe
\NavNT\*.exe
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
\Grisoft\AVG7\*.dll
\TREND MICRO\OfficeScan\*.dll
\Trend Micro\OfficeScan Client\*.exe
\LimeWire\LimeWire 4.2.6\LimeWire.jar
\Morpheus\*.dll

RSS|Atom
Get reports about the latest virus and spyware threats delivered to your computer