Update-Worm set to delete data files on February 3

muckshifter

I'm not weird, I'm a limited edition.
Moderator
Joined
Mar 5, 2002
Messages
25,750
Reaction score
1,209
While the most high-profile security vulnerability of late was almost certainly the WMF hole recently patched by Microsoft, in terms of actual numbers of infections it was barely a blip on the radar. According to the anti-virus company F-Secure, one of the most populous and dangerous infections today is not some sophisticated bit of code exploiting a new and exotic security hole, but an old-school e-mail worm written in Visual Basic that spreads by tempting users with free pornography.

The worm, named Nyxem.E, was discovered on January 20. It spreads by convincing users to open an executable attachment in their e-mail, tempting them with subject lines such as "Arab sex DSC-00465.jpg," "Miss Lebanon 2006," or "School girl fantasies gone bad." The executable, when run, checks to see if there are any common anti-virus programs running, and if so disables them. It inserts itself into the Windows registry in the standard places such as Software\Microsoft\Windows\CurrentVersion\Run so that it will run on startup, then scans the users' hard drive for any e-mail addresses it can find to send itself off to the next victim. It also attempts to spread via network shares.

The payload, which is set to execute on the third day of every month and so will first deploy on February 3, does not render the user's computer inoperative, but instead destroys that user's data. All Word, Excel, Access, Powerpoint, Acrobat, Photoshop, and some other files including zipped archives are deleted and replaced with the text string "DATA Error <47 0F 94 93 F4 K5>." This could result in some embarrassingly short business presentations scheduled for the beginning of next month.

One interesting feature of the worm is that whenever it runs it opens a web browser and accesses a certain webpage, incrementing the hit counter on that site. This appears to be a crude method for the worm's authors to track the number of infections. F-Secure estimates the number of machines already infected to be around 510,000 machines as of Sunday night, and the worm was accounting for about 35 percent of malware traffic as of Monday morning.

It is somewhat interesting that in an age where spyware and malware are becoming more and more sophisticated and serious, that the first large-scale infection of the new year would be a crude VB e-mail worm, the sort that most people were supposedly trained to guard against ages ago. Outlook and Outlook Express were both patched several years ago to disallow the execution of e-mail attachments by default, and many ISPs strip out executable attachments, preventing them from ever appearing in the users' mailbox.

Yet all the technological safeguards over the last few years appear to be no match for the power of ... social engineering. ;)

http://arstechnica.com/news.ars/post/20060123-6028.html
 
Back
Top