If numbers on a Web counter are any indication, a worm programmed to destroy files on infected machines Feb. 3 is spreading rapidly, and new details show it could be harder to detect than first thought.
According to the SANS Internet Storm Center (ISC), the Web counter Nyxem uses to tally infections is up to 630,000, though SANS has no way to know for sure if the counter is accurate.
According to a Monday posting on the Bethesda, Md.-based center's Web site, Nyxem is comparatively less widespread than worms like Sober or Netsky were in their first days, but it's still spreading fairly quickly. "Nyxem-E is the top malware instance detected in last 24 hours, with more than double the occurrences of the next-highest occurring worm (Netsky)."
The worm has a destructive payload that's set to go off the third day of each month, starting Feb. 3, Helsinki-based AV firm F-Secure Corp. has warned on its Web site. It has been designated a Radar Level 2 threat, F-Secure's second-highest alert level. Radar Level 2 means a new virus is causing large infections.
But alarm over Nyxem -- also known as Grew and Blackmal -- is hardly universal among AV firms. Cupertino, Calif.-based Symantec Corp. was maintaining a Level 1 ThreatCon as of Tuesday morning. Glendale, Calif.-based Panda Software has maintained a Gobal ThreatWatch level of green, indicating normal conditions.
Infection details summarized
Of Nyxem's programming, F-Secure said, "The worm's destructive payload activates on every third day of the month by replacing the content of users' files with a text string 'DATA Error [47 0F 94 93 F4 K5].' Among these files are .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd and .dmp."
The F-Secure advisory also describes the subject lines and message text the worm is using.
Sunnyvale, Calif.-based Fortinet Inc. said in an advisory that the worm "will attempt to connect to networked computers using the logon name 'Administrator.' It will then try to delete files associated with antivirus software installations both locally and across networked systems. Additionally, the virus will attempt to damage P2P application installations by deleting .dll component files from various local folders."
Fortinet said the worm is also coded to register the dropped ActiveX control through changes to the system registry. By creating a variety of registry entries, the control is considered "safe" and digitally signed. A list of the registry entries appears in the advisory.
Tokyo-based Trend Micro calls the worm Grew-A and said it spreads by attaching copies of itself to e-mail messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. It can then send e-mail messages without using mailing applications such as Microsoft Outlook, the firm added.
"Upon execution, it drops and opens a non-malicious .zip archive named SAMPLE.ZIP in the Windows system folder," Trend Micro said. "Moreover, this worm deletes autostart registry entries as well as associated files of several programs, most of which are related to security and antivirus applications. The said routines may cause referenced programs to malfunction, effectively making the affected system more vulnerable to further attacks."
In addition, Trend Micro said, the worm is capable of disabling the mouse and keyboard of an affected system. "It also creates a scheduled task using Windows Task on Windows NT, 2000, XP, and Server 2003 to execute itself on the 59th minute after it was dropped," Trend Micro said. "On Windows 2000, XP, and Server 2003, it drops a copy of itself in the All Users Startup folder."