A new worm spreading in cyberspace could make life difficult for IT administrators Feb. 3. That's when its file-corrupting payload is set to go off for the first time, Helsinki-based AV firm F-Secure Corp. warned on its Web site.
Nyxem-E is a Radar
AV firms have followed a familiar trend with this worm, with different vendors giving it different names, such as Grew and Blackmal.
The Bethesda, Md.-based SANS Internet Storm Center (ISC) weighed in on the threat on its Web site, saying: "The interesting (or is it scary?) part of [F-Secure's] analysis is the revelation that on the third of the month it will attempt to delete a lot of documents off the user's disks, including Office documents (*.doc, *.xls, *.ppt, *.pps), .pdf files, .zip and .rar archives, among others. They also report that based on a counter on a Web page that the worm updates, there are in excess of 400,000 machines infected [at the time of the ISC update]."
The numbers on that counter were still climbing Sunday morning.
"The Web counter used by the Nyxem worm now shows over 510,000 infections and keeps rising," Hypponen said on the F-Secure site. "Our internal reporting system shows a steady stream of Nyxems being reported from all over the world, from USA to Australia. If the worm keeps this pace, Friday the 3rd of February might be nasty. That's when the destructive payload is programmed to strike for the first time."
Of Nyxem's programming, F-Secure said, "The worm's destructive payload activates on every third day of the month by replacing the content of users' files with a text string 'DATA Error [47 0F 94 93 F4 K5].' Among these files are .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd and .dmp."
The F-Secure advisory also describes the subject lines and message text that the worm is using.
Tokyo-based Trend Micro calls the worm Grew-A and said it spreads by attaching copies of itself to e-mail messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It can then send e-mail messages without using mailing applications such as Microsoft Outlook, the firm added.
"Upon execution, it drops and opens a non-malicious .zip archive named SAMPLE.ZIP in the Windows system folder," Trend Micro said. "Moreover, this worm deletes autostart registry entries as well as associated files of several programs, most of which are related to security and antivirus applications. The routines may cause referenced programs to malfunction, effectively making the affected system more vulnerable to further attacks."
In addition, Trend Micro said, the worm is capable of disabling the mouse and keyboard of an affected system. "It also creates a scheduled task using Windows Task on Windows NT, 2000, XP, and Server 2003 to execute itself on the 59th minute after it was dropped," Trend Micro said. "On Windows 2000, XP, and Server 2003, it drops a copy of itself in the 'All Users Startup' folder."
As dire as F-Secure's warning is, advisories from other AV vendors, such as Sophos, McAfee and Fortinet, do not mention the potential Feb. 3 strike date, while a mix of vendors make note of its file-corrupting payload.
The ISC Web site noted that while AV firms seem prepared to deal with the worm, this is another case where naming of the worm is inconsistent from one firm to the next.
"Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always," ISC said. "Symantec calls this worm W32.Blackmal-E@mm, Trend Micro calls it WORM_GREW-A, while Sophos calls it W32/Nyxem-D -- go figure! [It] seems like we'll have to wait more for CME."
The Common Malware Enumeration (CME) initiative was started by the United States Computer Emergency Readiness Team (US-CERT) with the goal of creating a more consistent virus-naming process. Security experts often complain that inconsistent naming across the board creates confusion for IT administrators who are trying to respond to a given threat.