The dangerous new worm is spreading across the Internet and computer networks, commonly via emails as a message attachment and via P2P networks. The identity of this worm is Worm/Generic.FX (this worm is also known as Generic, Blackmal, Grew, Kapser, KillAV, MyWife, Nyxem, Small, Tearec, VB).
When the worm is launched it copies itself as scanregw.exe, Net.exe and at.exe in the Windows System folder and as Rundll16.exe in the Windows folder and registers the scanregw.exe file as ScanRegistry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in the Windows Registry.
* This virus terminates several running processes.
* Every 3rd day of month this virus overwrites files with doc, xls, mdb, mde, ppt, pps, zip, rar, pdf, psd and dmp extensions.
As a precaution everyone should update their anti-virus definitions.
From eWeek:
By Ryan Naraine
"Microsoft's anti-malware engineering team has joined the chorus of calls for computer users to be on high alert for an e-mail worm that uses social engineering tactics to deliver a destructive payload.
The company issued an official security advisory to back up a warning from its anti-malware researchers that the worm—known as Kama Sutra, Blackworm, MyWife.E, Nyxem.E—is programmed to "permanently corrupt a number of common document format files on the third day of every month.
Microsoft is beating the drum for PC users to update anti-virus signatures and be on high alert for suspicious e-mail attachments.
Volunteer security researches have already notified ISPs about possible customer infections and the LURHQ Threat Intelligence Group has released Snort signatures to help enterprises detect infected users in a net-space.
F-Secure chief incident officer Mikko Hypponen said the first reports of destruction has already started to filter in.
"The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time—even though the official activation time is the 3rd of the month," Hypponen explained in a blog entry.
"We've already received first reports from users who've had files on their system overwritten by the worm."
When the worm activates, it destroys all Microsoft Word, Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.
"This is nasty," Hypponen said, noting that the payload may also affect a USB thumb drive, external hard drives and network drives.
"If you're taking daily automatic backups you might end up backing up the corrupted files over good files," he warned.
The number of machines already infected is believed to be in the range of 300,000, mostly in India, Turkey and Peru. But, with ISPs already notified, most of those machines may already have been cleaned.
In Microsoft's advisory, the company said the malware sends itself to all the contacts that are contained in an infected system's address book. It is also programmed to spread over writeable network shares on systems that have blank administrator passwords.
The company also issued the following guidance for Windows users:
Use up-to-date antivirus software:
Most anti-virus software can detect and prevent infection by known malicious software. Always run anti-virus software that is automatically updated with the latest signature files to help protect from infection.
Use caution with unknown attachments:
Use caution before opening unknown e-mail attachments, even if the sender is known. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately. Then, run up-to-date anti-virus software to check your computer for viruses.
Use strong passwords:
Strong passwords on all privileged user accounts, including the Administrator account, will help block this malware's attempt to spread through network shares."
As a precaution you may want to source tools before you are infected.
When the worm is launched it copies itself as scanregw.exe, Net.exe and at.exe in the Windows System folder and as Rundll16.exe in the Windows folder and registers the scanregw.exe file as ScanRegistry in HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run key in the Windows Registry.
* This virus terminates several running processes.
* Every 3rd day of month this virus overwrites files with doc, xls, mdb, mde, ppt, pps, zip, rar, pdf, psd and dmp extensions.
As a precaution everyone should update their anti-virus definitions.
From eWeek:
By Ryan Naraine
"Microsoft's anti-malware engineering team has joined the chorus of calls for computer users to be on high alert for an e-mail worm that uses social engineering tactics to deliver a destructive payload.
The company issued an official security advisory to back up a warning from its anti-malware researchers that the worm—known as Kama Sutra, Blackworm, MyWife.E, Nyxem.E—is programmed to "permanently corrupt a number of common document format files on the third day of every month.
Microsoft is beating the drum for PC users to update anti-virus signatures and be on high alert for suspicious e-mail attachments.
Volunteer security researches have already notified ISPs about possible customer infections and the LURHQ Threat Intelligence Group has released Snort signatures to help enterprises detect infected users in a net-space.
F-Secure chief incident officer Mikko Hypponen said the first reports of destruction has already started to filter in.
"The destructive deadline of the Nyxem.E worm is based on the clock of the infected machine. So if you're infected and your clock is not set right, things could start to happen at any time—even though the official activation time is the 3rd of the month," Hypponen explained in a blog entry.
"We've already received first reports from users who've had files on their system overwritten by the worm."
When the worm activates, it destroys all Microsoft Word, Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.
"This is nasty," Hypponen said, noting that the payload may also affect a USB thumb drive, external hard drives and network drives.
"If you're taking daily automatic backups you might end up backing up the corrupted files over good files," he warned.
The number of machines already infected is believed to be in the range of 300,000, mostly in India, Turkey and Peru. But, with ISPs already notified, most of those machines may already have been cleaned.
In Microsoft's advisory, the company said the malware sends itself to all the contacts that are contained in an infected system's address book. It is also programmed to spread over writeable network shares on systems that have blank administrator passwords.
The company also issued the following guidance for Windows users:
Use up-to-date antivirus software:
Most anti-virus software can detect and prevent infection by known malicious software. Always run anti-virus software that is automatically updated with the latest signature files to help protect from infection.
Use caution with unknown attachments:
Use caution before opening unknown e-mail attachments, even if the sender is known. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately. Then, run up-to-date anti-virus software to check your computer for viruses.
Use strong passwords:
Strong passwords on all privileged user accounts, including the Administrator account, will help block this malware's attempt to spread through network shares."
As a precaution you may want to source tools before you are infected.