|
URL http://www.lurhq.com/blackworm.html Release Date January 24, 2005 Analysis The email worm known as BlackWorm/Nyxem/Blackmal/Blueworm/Grew is scheduled to delete (actually overwriting with a small text message) certain file types on Feb 3, 2006. We have been tracking the worldwide infections of this worm by means of a web stats counter the worm reports infections to. Currently it is at 679,000, but has tapered off in the last day or so. Even though this seems like a large number, as email viruses go, it is not a major threat in terms of email volume. The threat posed by this worm is the overwriting of files which is scheduled to occur on February 3, 2006. The file types in question are DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP. More information about the functions performed by this worm can be found at: http://www.f-secure.com/v-descs/nyxem_e.shtml Solution In most cases, blocking executable and unknown file types at the email gateway is enough to prevent the worm from entering a network. The attachments sent by the worm may contain the following extensions: pif, scr, mim,uue, hqx, bhx, b64, and uu. LURHQ has deployed the following Snort signatures to detect infections of the worm: alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)"; content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|"; content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|"; classtype:misc-activity; sid:1000376; rev:1;) alert tcp any any -> any 80 (msg:"Agentless HTTP request to www.microsoft.com (possible BlackWorm infection)"; dsize:92; content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|"; classtype:misc-activity; sid:1000377; rev:1;) At this time we have seen almost no infections across our customer base using our IDS platform and these signatures. Networks which utilize up-to-date desktop antivirus on all machines should experience no problems, however the worm does attempt to disable AV and security software, so advising users to test their AV may also be in order. If the AV refuses to run, it may be an indication of infection by this or another worm. It is important to note that although the worm enters a network as an email attachment, once a machine is infected, it will attempt to copy itself to open MS network C or Admin shares as WINZIP_TMP.exe, so machines without email access could still be affected. If you have any of these shares open on your network, searching for this file name on the shares is a good way to tell if anyone has been infected. About LURHQ Corporation LURHQ is the leading provider of Threat and Vulnerability Management services. LURHQ empowers security professionals at enterprise clients by partnering with them to provide the Consulting and Managed Security Services necessary to better align their security efforts with business risk. The result is the development of a strategic Threat and Vulnerability Management process that delivers an enhanced security posture, greater security operations efficiency, improved compliance and reduced security program costs. For more information visit http://www.lurhq.com. Copyright (c) 2006 LURHQ Corporation Permission is hereby granted for the redistribution of this document electronically. It is not to be altered or edited in any way without the express written consent of LURHQ Corporation. If you wish to reprint the whole or any part of this document in any other medium excluding electronic media, please e-mail [EMAIL PROTECTED] for permission. Disclaimer The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties implied or otherwise with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Feedback Updates and/or comments to: LURHQ Corporation http://www.lurhq.com/ [EMAIL PROTECTED] -- ------------------------------------------------------------------------ http://aboen.atekbl.com - BSD051246 ------------------------------------------------------------------------
YAHOO! GROUPS LINKS
|
