CIS News: Computer worm poised to delete files on 2/3

Computer worm poised to delete files on 2/3

Posted on February 1, 2006 01:23 PM

A new worm has been reported that infects Windows PCs. Computers that have been compromised with the worm are programmed to delete files on February 3rd and the 3rd of each month thereafter. The actual impact of the spread of the worm is unclear at this time, but the impact on individual PCs could be quite high.

DETAILS

Name:
Known as Nyxem, MyWife, Blackmal, Grew, KillAV, BlackWorm and Kama Sutra

How it spreads:
Primarily through email attachments that you must open to be infected.

What to look for:
The emails have enticing subject lines, such as: "The Best Videoclip Ever", "School girl fantasies gone bad", "Rapist - Do you recognize this photo?", "New Campus Magazine - Please Approve Attached Photocopy" or "A Great Video". The worm may disguise itself as a WinZip file. However, the file extension (.zip) is not present.

What happens if you are infected:

The worm attempts to disable most anti-virus products and delete their protection.
It will email itself using a variety of extensions and file names.
It will add itself to the list of auto-start programs in your registry.
The following file types will be overwritten by the virus on your computer's local drives: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP.
The worm will also attempt to spread through network shares.

What you can do:

NEVER open unexpected attachments or click on links in email messages unless you know the sender and are expecting them.
Keep your antivirus software current with the most current patches and virus definitions. Perform a Live Update. If you don't have Symantec AV software, download a free (for Brown students, staff and faculty), current version now at http://software.brown.edu/dist/tw-av.html.
Windows users should install and run a spyware program on a regular basis. [See http://www.brown.edu/cis/itsecurity/getcontrol/step_1.html]
Backup important user files before February 3rd. If you need assistance backing up files, contact your appropriate support staff.
This particular threat masquerades as a WinZip file, displaying the WinZip file icon but without the WinZip extension. To detect this, make sure that you are displaying file extensions. Go to the Folder Options control panel, select the View tab, and deselect "Hide extensions for known file types."

For more information:

[an error occurred while processing this directive]
CIS News « Faculty and Staff email quotas doubling \| Main \| Latest phishing scam - don't get hooked! » Computer worm poised to delete files on 2/3 Posted on February 1, 2006 01:23 PM A new worm has been reported that infects Windows PCs. Computers that have been compromised with the worm are programmed to delete files on February 3rd and the 3rd of each month thereafter. The actual impact of the spread of the worm is unclear at this time, but the impact on individual PCs could be quite high. DETAILS Name: Known as Nyxem, MyWife, Blackmal, Grew, KillAV, BlackWorm and Kama Sutra How it spreads: Primarily through email attachments that you must open to be infected. What to look for: The emails have enticing subject lines, such as: "The Best Videoclip Ever", "School girl fantasies gone bad", "Rapist - Do you recognize this photo?", "New Campus Magazine - Please Approve Attached Photocopy" or "A Great Video". The worm may disguise itself as a WinZip file. However, the file extension (.zip) is not present. What happens if you are infected: The worm attempts to disable most anti-virus products and delete their protection. It will email itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry. The following file types will be overwritten by the virus on your computer's local drives: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP. The worm will also attempt to spread through network shares. What you can do: NEVER open unexpected attachments or click on links in email messages unless you know the sender and are expecting them. Keep your antivirus software current with the most current patches and virus definitions. Perform a Live Update. If you don't have Symantec AV software, download a free (for Brown students, staff and faculty), current version now at http://software.brown.edu/dist/tw-av.html. Windows users should install and run a spyware program on a regular basis. [See http://www.brown.edu/cis/itsecurity/getcontrol/step_1.html] Backup important user files before February 3rd. If you need assistance backing up files, contact your appropriate support staff. This particular threat masquerades as a WinZip file, displaying the WinZip file icon but without the WinZip extension. To detect this, make sure that you are displaying file extensions. Go to the Folder Options control panel, select the View tab, and deselect "Hide extensions for known file types." For more information: http://isc.sans.org/blackworm http://www.us-cert.gov/current/current_activity.html#nyxemworm http://www.pcworld.com/news/article/0,aid,124449,00.asp http://www.microsoft.com/technet/security/advisory/904420.mspx
[an error occurred while processing this directive]