SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
SANS – Internet Storm Center – CME-24 (Blackworm) Analysis: The destruction does not appear to spread across Windows network shares
CME-24 Analysis: The destruction does not appear to spread across Windows network shares (NEW)
I wanted to share some of the results of some long hours spent looking at this malware. When the infection occurs, it immediately places copies of itself locally on each share and on each share/mapped drive that it finds. Based on this behavior, my initial thoughts were that the destructive payload would be carried out via shares and/or mapped drives as well.I now have changed my initial thoughts on how the destruction would occur. Here are some of my notes from my testing of this concept. Here is the MD5 from the file I was using:
1c66904ecb846da5b1fb2072f9ea6e0e *New WinZip File.exeThe first test I did led me to believe that the destruction would be carried out via the shares and mapped drives. In my intial test, I had two infected systems (one XP and one W2K) with drives mapped to each other. I infected each box, changed the system time to Feb 2 at 11:50pm, launched ethereal, filemon and ran the the first shot using RegShot. After an hour, I stopped the captures and launched my second shot of the hard drive with RegShot. All my data files were now over written, zip files were corrupted, etc. Everything was happening as I thought it would. All my mapped drives had corrupted files. The security logs from each box showed accesses from the other.
For the rest of this in depth analysis, go here: SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.
February 2, 2006 –
Posted by
antivirusguy |
Antivirus News
SANS – Internet Storm Center – BlackWorm Summary – Updated Info
About BlackWorm
Over the last week, “Blackworm” infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can’t be expected to clean up the infection for you.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( ‘DATA Error [47 0F 94 93 F4 K5]‘).
We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.
The first thing you should do is to update your anti virus signatures.
This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm
Naming
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be ‘CME-24′. cme.mitre.org should shortly list this number.
How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new “zip file” icon on your desktop.
What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild “from scratch”:
- BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
- BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.
Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
Microsoft Security Advisory (904420): Win32/Mywife.E@mm (aka Blackworm)
For even more comprehensive information on this virus go here: http://www.isc.sans.org/blackworm
Win32/Mywife.E@mm
Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.
Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.
On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.
As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependant on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with “Administrator” as the user name together with a blank password.
Read the rest of this advisory here: Microsoft Security Advisory (904420): Win32/Mywife.E@mm.
February 2, 2006 –
Posted by
antivirusguy |
Antivirus News |
|
1 Comment