MessageLabs Intelligence Data Suggests Worldwide Impact of Blackworm/Nyxem.E on February 3rd Will Be Damaging but Not Catastrophic

Business Wire, Feb 2, 2006

NEW YORK -- MessageLabs, the leading provider of messaging security and management services to businesses worldwide, has now stopped over 4 million copies of Nyxem.E (also referred as MyWife.D, BlackWorm and Kama Sutra). The worm scheduled to begin destroying files on infected machines and networks on Friday, February 3rd, is currently live on 20,000 IP addresses according to MessageLabs data. This indicates that 20,000 individual home users or organizations worldwide are currently infected, a significant drop to earlier in the week. As each IP address will vary from a single home user to potentially a large corporation, it is difficult to accurately estimate the impact of tomorrow's timed payload activation, but MessageLabs expects it will be significantly lower than previous industry estimates. MessageLabs believes this is largely due to many infected computer users and businesses conducting extensive virus 'clean up' this week. MessageLabs has seen worm 'clean-up' from approximately 11,000 IP addresses a day.

"This virus was created purely for malicious intent, unlike the majority of viruses we see today that are instead looking for backdoors into people's machines to send spam or steal data. We are hopeful that this does not indicate a return to destructive, nuisance viruses. However, this virus writer did do one good thing, intentionally or not, he or she provided a two week window before activation of the payload to destroy data. This has allowed many smart computer users and businesses an opportunity to disinfect their machines and hopefully take protective measures before Friday," noted Alex Shipp, Senior Virus Technologist.

"We would advise all computer users to check their machines as many traditional anti-virus updates were not available until up to 30 hours after the start of this outbreak. MessageLabs Skeptic technology was able to detect and stop the virus from its first instance."

The Nyxem virus family has been around since March 2004 and is named after the first virus which launched a DDoS attack against the "New York Mercantile Exchange" website (www.nymex.com). The motive and virus writer remains unknown.

The email worm is activated based on PC clock settings and is programmed to overwrite and corrupt files on the 3rd day of every month, beginning on February 3rd. The worm usually arrives as an attachment in an email message, with spoofed sender addresses claiming to offer obscene pictures or pornographic movie clips. The worm can also spread via network shares. It also attempts to disable security software including anti-virus and firewall.

The virus can infect any disk drive connected to the PC, including USB drives and network drives and shares. Targeted files are corrupted, rather than deleted. Businesses and individuals who rely on a timed overwrite back-up system should ensure that they are not overwriting previously good backed-up files with corrupted files.

Name: MessageLabs: Nyxem.E
                   Also known as:
                   Authentium: W32/Kapser.A@mm
                   AVIRA: Worm/KillAV.GR
                   CA: Win32/Blackmal.F
                   Fortinet: W32/Grew.A!wm
                   F-Secure: Nyxem.E
                   Grisoft: Worm/Generic.FX
                   H BEDV: Worm/KillAV.GR
                   Kaspersky: Email-Worm.Win32.Nyxem.e
                   McAfee: W32/MyWife.d@MM
                   Norman: W32/Small.KI
                   Panda: W32/Tearec.A.worm
                   Sophos: W32/Nyxem-D
                   Symantec: W32.Blackmal.E@mm
                   TrendMicro: WORM_GREW.A
                   Further information on this virus naming can be
                   found on: http://cme.mitre.org/data/list.html#24

        Number of copies stopped: Over 4 million from 200,000
         different IP addresses
        Date & time first captured: 05:31 on 16-Jan-2006 UTC.

Attachment: The malware has another twist. The file types used were fairly unusual. We can assume that this is an attempt to penetrate organizations with gateway-filters on attachment extensions using content scanners.

These extensions include: .mim, .hqx, .bhx, .b64, .uue, .uu

Payload

It has a destructive payload which activates on the 3rd of every month, destroying all files with the following extensions, by overwriting them with a text string:

*.doc
         *.xls
         *.mdb
         *.mde
         *.ppt
         *.pps
         *.zip
         *.rar
         *.pdf
         *.psd
         *.dmp

Detection

MessageLabs detected all strains of this virus proactively, using its unique and patented Skeptic(TM) predictive heuristics technology.

About MessageLabs

MessageLabs is the world's leading provider of messaging security and management services with more than 13,000 clients and offices in eight countries. For more information, please visit www.messagelabs.com.