PDA

View Full Version : Worm Alert



jds1978
01-31-2006, 08:44 PM
UH-OH....


From SANS: Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

View: Full article (SANS)
Story via DONet

zoinks_
01-31-2006, 09:53 PM
i think it would be fun to bring back the roman colosseums with lion's and other various critters and toss some of these programmers in. i'd buy a ticket. think of the fun.

slo_one23
01-31-2006, 10:22 PM
i'd be in the seat next to you!
jeeze what kinda people just sit around trin to destroy other peoples things for no gain http://forums.ubi.com/images/smilies/51.gif

jds1978
02-01-2006, 03:36 AM
jeeze what kinda people just sit around trin to destroy other peoples things for no gain

A: 40+ yr old virgins or people who can't get over the fact that they were picked on in high school http://forums.ubi.com/images/smilies/59.gif

WWSensei
02-01-2006, 04:26 AM
While "script kiddies" are in the majority there is a growing number of organized groups doing such things. from terrorists groups attempting to disrupt computer systems to organized crime groups trying to either steal business ideas, cripple opponents networks, or in some cases, encrypting victims data and then ransoming the unlock key.

Some of these groups literally control millions of compromised computers--and most of the owners are totally unaware they are part of a botnet.

Hoatee
02-01-2006, 03:13 PM
Lately I've been playing around with Windows 3.1 under emulation on a Mac. Whacky interface that OS has, indeed - I'm not surprised people had problems migrating to Windows 95 - culture shock, methinks.

Anywaze, I coudn't help but notice that antivirus software was an integral part of the OS and appears to have been taken out from Windows 95 onwards.

Perhaps Micro could be convinced into taking it back in - I think that maybe it's unfare for consumers to have to foot the bill for having to take measures against malware.

zoinks_
02-01-2006, 03:37 PM
somehow my brain fails to equate microsoft and security...shows at my choice of web browser, mail, etc. etc..... i still like my idea best. and let's toss in all the thieves, too.

thanks for the alert, btw. just realized i forgot that.

WWSensei
02-01-2006, 05:41 PM
Microsoft did indeed have Centralpoint AV that they had bought. Last year or so they also bought a Rumanian AV company and is expected to release a concumer AV product (one reason they and Symantec don't get along).

Somehow, buying AV software to plug holes in the software they wrote in the first place does seem to be a bit like letting the fox guard the henhouse.

NAFP_supah
02-02-2006, 04:20 AM
symantec has a removal tool here (http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html) In general to avoid this do not browse pornographic sites, do not open e-mails from people you do not know about porn, Do not use outlook express and stop being an idiot. That should drastically cut down on your number of infections.

bogusheadbox
02-02-2006, 06:03 AM
Originally posted by NAFP_supah:
symantec has a removal tool here (http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html) In general to avoid this do not browse pornographic sites,

Sorry no can do


do not open e-mails from people you do not know about porn
Agreed

Do not use outlook express
I think the above statement in it general depiction is fine. Just don't open emails that you are not sure or aware of the sender. Outlook express is fine if you use that simple rule.


and stop being an idiot
I think it was an optional extra i took out at birth.