MoMusings

Not only is MyWife infecting unsuspecting victims, offering naughty pictures, videos, or a kiss, but she is going to turn destructive on the 3rd of February 2006 and every month after that date!

What?….No I’m not talking about my ‘better half’, my ‘partner’ or my ’spouse’; you didn’t think I was, did you?

What I’m talking about is the latest nasty piece of malware that appeared on January 20th 2006. This is known as: Nyxem.E, Kama Sutra, W32.Blackmal.E@mm, W32/MyWife.d@MM, Email-Worm.Win32.Nyxem.e, Blackworm and several other names too.

How do I get infected?
Unlike most modern malware this one doesn’t rely on a vulnerability in the operating system or applications on your computer.

Instead it uses a known vulnerability in the ‘WetWare’ [Human behind the keyboard].

To do this it finds those that are vulnerable to the ‘click or double-click attachment‘ exploit. This relies on the WetWare’s own internal processing and logic circuits being overridden by more base, animal instincts, such as SEX; which causes a short-circuit of the higher processing and logic functions in the vulnerable ‘WetWare’.

Those vulnerable to this exploit are sometimes known as ‘click-a-holics‘.

The end result is an infected computer, unless other mitigating processes block the infection, such as up-to-date anti-virus software.

In other words, you infect your computer because you can’t resist the temptation to open the attachment, just in case it may be ‘interesting’.

What does it look like?
Well, the e-mail may come from someone you know or trust, or a complete stranger, as the system that became infected and actually sent the e-mail was searched and any e-mail addresses it found on the infected system were used to forge the from: address line. The subject lines include any of the following:

• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fuckin Kama Sutra pics
• Fw:
• Fw: DSC-00465.jpg
• Fw: Funny
• Fw: Picturs
• Fw: Sexy
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clipe
• Re:
• Re: Sex Video
• School girl fantasies gone bad
• The Best Videoclip Ever
• the file
• Word file
• You Must View This Videoclip!

The message body may be one of the following, or just contain the infected attachment:

• —– forwarded message —–
• >> forwarded message
• F*ckin Kama Sutra pics
• forwarded message attached.
• Hot XXX Yahoo Groups
• how are you?
• i just any one see my photos. It’s Free
• i send the details.
• Note: forwarded message attached.
• OK ?
• Please see the file.
• ready to be F*CKED
• VIDEOS! FREE! (US$ 0,00)

What does it do?
The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm’s UPDATE.EXE file is run, it destroys files with the following extensions on all available drives:

• *.doc
• *.xls
• *.mdb
• *.mde
• *.ppt
• *.pps
• *.zip
• *.rar
• *.pdf
• *.psd
• *.dmp

The attachments may be a variety of names with one of the following extensions:

.PIF, .MIM, .HQX, .BHX, .B64, .SCR, .UU or .UUE

These can be in upper, lower or mixed case.

The files which are targeted are overwritten and the contents get replaced with a text string “DATA Error [47 0F 94 93 F4 K5]”.

This malware can also spread via any Windows shares that the infected computer has access to. It also contains its own SMTP engine to construct outgoing messages and will target a number of security tools/applications, including anti-virus and personal firewalls. Finally the malware adds an icon to the systray, displaying the string “Update Please wait” and connects to a website to increment a counter when a system is originally infected. At this moment in time this counter reads over 1,000,000!

Update: This just in - Fortinet said the worm adds 18 entries to the Windows Registry to slip the ActiveX control by the operating system’s defenses. “By creating the following entries, the control is considered ’safe’ and digitally signed”

In addition, Trend Micro, which calls the worm ‘WORM_GREW.A’, claims the worm is capable of disabling the mouse and keyboard of an affected system.

How do I protect my computer/self?
Well for starters make sure your anti-virus is updated at least once a day, this will then help to mitigate the ‘WetWare’ vulnerability.

At this time there is no fix for the WetWare ‘click or double-click attachment‘ exploit, however repeated exposure tends to reduce the size of the problem, although some affected users are very resistant. Frequent ‘booting’ might help.

Symantec have a stand-alone fix tool for this [for infected computer, not the WetWare], it can be downloaded from here: http://securityresponse.symantec.com/avcenter/venc/data/w32.blackmal@mm.removal.tool.html

Links to descriptions:
More details on this malware can be found via the following links:-
http://www.f-secure.com/v-descs/nyxem_e.shtml
http://vil.nai.com/vil/content/v_138027.htm
http://www.sarc.com/avcenter/venc/data/w32.blackmal.e@mm.html
http://www.isc.sans.org/diary.php?storyid=1067
http://secunia.com/virus_information/11803/mywife.d/
http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_GREW.A
http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=119856