PDA

View Full Version : Worm Alert



jds1978
01-31-2006, 08:43 PM
to a gander people...

From SANS: Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

View: Full article (SANS)
Story via DONet

Dash_C.
01-31-2006, 08:45 PM
Thanks for the heads up!

Enforcer572005
01-31-2006, 08:55 PM
If i won a lottery, i would put a huge reward out for whoever could deliver the heads of the creators of such cr@p to me on a stick. http://forums.ubi.com/images/smilies/59.gif

danjama
01-31-2006, 09:02 PM
cheers for alert http://forums.ubi.com/images/smilies/16x16_smiley-surprised.gif

Pirschjaeger
02-01-2006, 12:45 AM
Originally posted by Enforcer572005:
If i won a lottery, i would put a huge reward out for whoever could deliver the heads of the creators of such cr@p to me on a stick. http://forums.ubi.com/images/smilies/59.gif

Doesnâ´t Norton share the same office space as Microsoft? http://forums.ubi.com/images/smilies/88.gif

Fritz

vanjast
02-01-2006, 01:19 AM
just backup your important file and the registry everytime your install some new software. Before the due date restore any of the registry's.

Which anti-virus group did you say you work for again ?? http://forums.ubi.com/images/smilies/16x16_smiley-wink.gif

Pirschjaeger
02-01-2006, 01:49 AM
I just gave my puppy two little white pills in his food. No problems here. http://forums.ubi.com/images/smilies/blink.gif

Fritz

F0_Dark_P
02-01-2006, 04:19 AM
I am thinking more and more to runn Linux on my comp, but then it comes to game suport and i dunno if il2 can be played on a Linux system?

Jumoschwanz
02-01-2006, 08:12 AM
The writers of virus and maleware programs that affect microsoft products are self-appointed soldiers in the war against Bill Gates.

If they put all their energy they use to write viruses into making linux and other Unix operating systems as easy to use as Windows, or into making it into an exact functional replacement for windows, then they would have a much better chance at taking Microsoft down.

All they are doing this way is to strengthen public opinion against anything but Microsoft.

Just goes to show that "book smart" doesn't mean smart period. Or, I know lots of people who are doctor's, lawyers and Indian chiefs, and computer programmers, but they still manage to f u c k up their lives and never learn to relax and do things the easy way.

Jumoschwanz

Xiolablu3
02-01-2006, 10:43 AM
I see what you are saying Jumo, but because of DirectX, any dedicated gamers HAVE to use Windows really.

Not many games use OpenGL these days.

Airmail109
02-01-2006, 10:48 AM
Couldnt you just replicate directx?

LilHorse
02-01-2006, 01:10 PM
Originally posted by Jumoschwanz:
The writers of virus and maleware programs that affect microsoft products are self-appointed soldiers in the war against Bill Gates.


Jumoschwanz

Which would mean that they are naive imbeciles for that reason or any other reason they have in their teeny tiny little particle of brain matter for creating these things.

Seriously, I'd be all for tracking these people down and having them flayed alive.

WWSensei
02-01-2006, 02:05 PM
Originally posted by Pirschjaeger:
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Enforcer572005:
If i won a lottery, i would put a huge reward out for whoever could deliver the heads of the creators of such cr@p to me on a stick. http://forums.ubi.com/images/smilies/59.gif

Doesnâ´t Norton share the same office space as Microsoft? http://forums.ubi.com/images/smilies/88.gif

Fritz </div></BLOCKQUOTE>

No. Microsoft HQ and development sites are in Redmond, Wash. Symantec is HQ'd in Cupertino California with development offices around the world.

The two companies do NOT get along.

WWSensei
02-01-2006, 02:12 PM
Originally posted by Jumoschwanz:
The writers of virus and maleware programs that affect microsoft products are self-appointed soldiers in the war against Bill Gates.

If they put all their energy they use to write viruses into making linux and other Unix operating systems as easy to use as Windows, or into making it into an exact functional replacement for windows, then they would have a much better chance at taking Microsoft down.

All they are doing this way is to strengthen public opinion against anything but Microsoft.

Just goes to show that "book smart" doesn't mean smart period. Or, I know lots of people who are doctor's, lawyers and Indian chiefs, and computer programmers, but they still manage to f u c k up their lives and never learn to relax and do things the easy way.

Jumoschwanz

For a few of the virus writers your idea of them just being "anti-Bill Gates" is true. For a vast majority of the botnet operators it isn't nearly that simple. Over the last 4-5 years a growing number of the virus writers are from organized groups (either terrorist related or organized crime syndicates) doing so with the intent to either cripple specific targets or outright blackmail various companies.

Abd linux/UNIX variants aren't safe either...just less popular. If you run an IRC client on a linux box you are just as likely to be sucked into a botnet as a Windows box. Shoot, the very first Internet worm to strike came from the Unix world--not Windows. An no, I'm no Gates shill...I'm pretty much a Unix bigot but a badly administered Unix box is just as bad as badly managed Windows one--sometimes even worse so because critical data is more likely to be hosted on them.

Pirschjaeger
02-01-2006, 04:10 PM
A little more info

http://www.stuff.co.nz/stuff/0,2106,3558992a28,00.html

Pirschjaeger
02-01-2006, 04:10 PM
Originally posted by WWSensei:
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Pirschjaeger:
<BLOCKQUOTE class="ip-ubbcode-quote"><div class="ip-ubbcode-quote-title">quote:</div><div class="ip-ubbcode-quote-content">Originally posted by Enforcer572005:
If i won a lottery, i would put a huge reward out for whoever could deliver the heads of the creators of such cr@p to me on a stick. http://forums.ubi.com/images/smilies/59.gif

Doesnâ´t Norton share the same office space as Microsoft? http://forums.ubi.com/images/smilies/88.gif

Fritz </div></BLOCKQUOTE>

No. Microsoft HQ and development sites are in Redmond, Wash. Symantec is HQ'd in Cupertino California with development offices around the world.

The two companies do NOT get along. </div></BLOCKQUOTE>

I was kidding. http://forums.ubi.com/groupee_common/emoticons/icon_biggrin.gif