Porn Worm Set to Execute Nasty Payload on Friday

Be especially wary of unsolicited e-mails claiming to contain obscene pictures and sex movies this week. The W32/Nyxem worm is set to trigger its data-destroying payload on February 3.

The W32/Nyxem-D worm — also known as “Email-Worm.Win32.VB.bi,” “Blackworm,” “[email protected],” or “Grew.” — can spread via e-mail using a variety of pornographic disguises in an attempt to disable security software.

When launched, it tries to disable a number of anti-virus and firewall products, and attempts to harvest other e-mail addresses from the infected computer in an effort to spread itself further.

“Companies should educate their users to practice safe computing,” said Graham Cluley, senior technology consultant for Sophos.

“That includes never opening unsolicited e-mail attachments and discouraging the sending and receiving of joke files, pornography and funny photographs and screensavers,” he added. “This worm feeds on people’s willingness to receive salacious content on their desktop computer, but they could be putting their entire company’s data at risk.”

Nasty Subject Lines

The subject lines used in the malicious e-mails include “*Hot Movie*,” “Arab sex DSC-00465.jpg,” “Fwd: Crazy illegal Sex!” and various other suggestive phrases. If the subject lines are offensive, the payloads are even more so.

The payload will destroy DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP files by replacing their contents with the string: “DATA Error [47 0F 94 93 F4 K5].”

The Feb. 3 payload does work and is set to strike on any infected computer, based on the infected machine’s local date and time, according to Ken Dunham, a senior engineer with VeriSign iDefense.

Fact Versus Fiction

The worm may not be nearly as damaging as some fear, however. That’s because the counter it installs can be easily discovered by anyone investigating the worm, Dunham told TechNewsWorld.

“The worm counter may not have started at zero. It records each hit or page view, rather than unique IP addresses, and could be manipulated,” Dunham said. “Data to date shows that this worm is not a massive epidemic but that it is temporarily more successful than long-term persistent threats such as NetSky and Zafi variants.”

The worm does reportedly send out copies of itself as a PDF, such as eBook.PDF. However, if such a file is executed, Adobe Acrobat will not be able to execute the MZ header executable, Dunham said. These types of attachments are not significant threats at this time, in his view.

Working Against Researchers

Still, there is concern surrounding the worm, because of reports that it can disable a keyboard and mouse, and forcing a restart of the computer immediately after infection. During this process, it creates several Windows registry key values to cause an included OCX file to be trusted. This avoids any dialog boxes that may otherwise occur. It also attempts to delete files in the Program Files directory related to anti-virus software. Those are scary possibilities, but Dunham said the perpetrators are ultimately working against security researchers.

“Slowly evolving threats like Grew.A often lead to increased fear, uncertainty and doubt without the help of an intelligence provider,” Dunham said. “It makes it almost impossible for some to get qualified research data on a worm when there is so much misinformation, aliases, and other data available on the Internet.”

Leave a Comment

Please sign in to post or reply to a comment. New users create a free account.

E-Commerce Times Channels