BlackWorm Summary

Published: 2006-01-26,
Last Updated: 2006-01-27 02:01:42 UTC by Johannes Ullrich (Version: 3(click to highlight changes))

About BlackWorm

Over the last week, “Blackworm” infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can’t be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( ‘DATA Error [47 0F 94 93 F4 K5]‘).

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be ‘CME-24′. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new “zip file” icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild “from scratch”:

1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

To read the rest of this post, go here:   SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

BlackWorm Summary

Published: 2006-01-26,
Last Updated: 2006-01-27 02:01:42 UTC by Johannes Ullrich (Version: 3(click to highlight changes))

About BlackWorm

Over the last week, “Blackworm” infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This  worm is  different and more serious than other worms for a number of reasons. In particular, it will overwrite a user’s files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.  Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can’t be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( ‘DATA Error [47 0F 94 93 F4 K5]‘).

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm

Naming

As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be ‘CME-24′. cme.mitre.org should shortly list this number.

How would I get infected?

The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new “zip file” icon on your desktop.

What will BlackWorm do to my system?

It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal

Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild “from scratch”:

1. BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
2. BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

To read the rest of this post, go here:   SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

More on Nyxem

Published: 2006-01-23,
Last Updated: 2006-01-23 22:13:35 UTC by Bojan Zdrnja (Version: 1)

Although Nyxem is comparatively less spread then worms like Sober or Netsky, it’s still doing a fair number of rounds.

The graph below is from one of the e-mail gateways with a decent number of e-mails processed daily (around 500.000+). You can see that Nyxem.E is the top malware instance detected in last 24 hours, with more than double the occurences then the next highest occuring worm (Netsky).

This is not strange as the Web counter that the worm visits upon infecting the machine currently shows around 630,000 infections (we can’t be sure that this number is correct). Bert Rapp e-mailed us asking about the URL that the worm visits. This can help you in determining if a machine is infected, as it will visit the URL with the counter.

The counter is at:

h tt p:// webstats.web.rcn.net/ [REMOVED] / Count.cgi?df=765247

You can search your web logs for this host name (which looks as a legitimate site).

Other than that, Fortinet released their in-depth analysis of the Nyxem worm with some pretty interesting details (you can find the original analysis here).
The most interesting part, which I haven’t seen in other analysis of the worm says:

“Additional Registry Changes

• The virus is coded to register the dropped ActiveX control through changes to the system registry. By creating the following registry entries, the control is considered “safe” and digitally signed.”

The threat of worms like this will make them much more dangerous in the future. If a worm puts a fake CA certificate on an infected machine, MITM attacks become extremely easy. Of course, we all know that once the machine is infected you can’t trust it, but this looks like another (big) problem for the average user out there.

SANS – Internet Storm Center – Cooperative Cyber Threat Monitor And Alert System.

Sluggish Norton products are things of the past and Norton is working hard towards ensuring its firm foothold in the security industry. The proof is right in front of us. 2009 was the turning point for this well known company after it made complete overhaul on its Norton antivirus engine (way faster than its predecessor) and the introduction of its latest flagship, the comprehensive Norton 360 4.0. Recently Norton has unveiled the Norton Internet Security 2011 & Norton AntiVirus 2011 Public Beta and it is available for free.

Features Of Norton AntiVirus 2011 and Internet Security 2011

• Fast and light protection
• Protect you from identity theft and related cyber crime.
• Norton Safe Web – counter the evolving social networking threats
• Proactively notifying user when other applications are slowing you down and affect your system performance.

Download Source

Norton Beta Center | Norton Antivirus 2011 | Norton Internet Security 2011

[via]

The Office team is working hard towards the completion of Office 2010 (codenamed Office 14) that is scheduled to be released this June and they have finally reached the release-to-manufacturing (RTM) milestone for SharePoint 2010, Visio 2010 and Project 2010.

The suite that will be available in 32-bit and 64-bit versions, includes updates to all of Microsoft’s major productivity apps such as Word 2010, Outlook 2010, Excel 2010, PowerPoint 2010, Access 2010, OneNote 2010, InfoPath 2010 and Publisher 2010. There is no particular date stated but you can pre-order the Office 2010 through this link.

Earlier this year we announced that we will officially launch Office 2010 to our business customers on May 12 with Stephen Elop, President of Microsoft’s Business Division, delivering a keynote as part of our virtual launch. Our virtual launch will allow people from around the globe to participate in our launch by going to http://www.the2010event.com. The virtual launch site will showcase product demos, customer and partner testimonials, and interviews with product managers and executives, and we hope this will give you another great way to explore, learn, and get excited about the 2010 releases.

What makes this news more interesting is that the Microsoft Office 2010 RTM (build version 14.0.4763.1000) is already available on the internet; both 32-bit (x86) and 64-bit (x64), days ahead of MSDN & TechNet subscribers can officially download on April 22 2010. You can find more details about the leaked version of Microsoft Office 2010 RTM on MyDigitalLife. As usual, it’s not advisable for several apparent reasons (tampered with malicious scripts etc).

[via]

iPhone OS 4.0 is “jailbreakable”, not doubt about it. We have seen several videos of Comex, Geohotz and ih8sn0w showing off how iPhone OS 4.0 was jailbroken but none of them could tell us for sure when the tool would be released to the public. When everyone speculates the release will only be made after iPhone OS 4.0 official debut this summer, Dev Team surprised us by making the tool, Redsnow 0.9.5 available earlier than expected.

Although Dev Team has made the redsn0w 0.9.5 BETA available for public download, but they have a piece of advice for you:

Please note that this beta is not meant for the average end-user. There are many things “broken” with jailbroken apps in the 4.0beta1 environment right now [...] This beta redsn0w allows the developers behind those jailbroken apps (like MobileTerminal.app!) to fix their software before the general public gets iphoneOS 4.0.

Because it’s meant for JB app developers, this beta redsn0w does not perform hactivation. You’ll need a properly-registered developer UDID with Apple to get past the activation screen. For similar reasons, there is no Windows version of this beta redsn0w (since apps are developed on MacOSX). Please don’t pirate Apple software.

Redsn0w 0.9.5 requirements (as this article is written)

• iPhone 4.0 beta 1
• iPhone 3G
• Mac OSX

DOwnload link

Redsn0w 0.9.5 for Mac OS X

[via]

When I heard Opera submitted Opera mini in App Store, there was nothing that cross my mind except it will be declined outright. However, Apple proves otherwise by accepting Opera Mini into its App Store repository. You can download this small application via App Store and having alternative browser to do your internet browsing.

The interface of Opera Mini appears to be the same like on every other handset and as expected, it renders pages beautifully. The best part about Opera Mini is “Opera Turbo”. The images on a web page is compressed and this allows a page to load almost twice as fast when you are on a slow network.

Wait no more. Fire up iTunes, download Opera Mini and start browsing.

No matter how fast your computer was when you first bought it, the machine will not able to maintain its top-notch performance all year round. The reasons could be from undefragmented hard drive, restore accidentally delete files, broken Windows Registry keys, hard drive errors, Windows hidden settings and many other possible causes. You still need to fair amount of attention on the maintenance. Fortunately TuneUp Utilities 2009 is here to do all tedious job; saving you lot of time.

Normally TuneUp Utilities 2009 costs you $49.95 but the good news is, there is promotion that can make this wonderful software a freeware.

How to Download FREE TuneUp Utilities 2009 FULL Version?

1. First you need to visit the promotion page. You are required to key in an email address before you can hit the “Request Product Key” button.

2. Once you confirm the email address you previously entered, the product key for TuneUp Utilities 2009 will be sent to the email address.

3. Follow the link given in your inbox in order to get TuneUp Utilities 2009 product key.

4. Download the software from here (you can also download it from the activation page). Use the product key to activate TuneUp Utilities 2009. That’s it!

Note: This installation is done on Windows XP. TuneUp Utilities 2009 is not compatible with windows 7.

Grab it fast before it’s gone!

ZoneAlarm is one of the most well-known brands in Internet security industry that protects over 60 million PCs from hackers, identity theft and virtually any potential threats. Recently we learned that ZoneAlarm is going to run a 24-hour promotion on April 13th 2010. Of course this is an exciting news but we can tell for sure whether this is a complete giveaway of one of its products or it is just some special discounts on selected products.

Let’s wait and see.

Promotion Link

We have already learned about the big list of new features on iPhone OS 4.0 but we never see it on action. Among all, multi-tasking is the most longing for feature which should be on iPhone long before. With the introduction of this particular feature and along with other new features, Apple has convinced its fans to grab the next generation of iPhone that will be on the market soon.

Anyway, as promised, here are several videos found in Youtube demonstrating some of the new features on iPhone OS 4.0