Information
about the W32/Nyxem.D (W32/Grew.A, Kama Sutra) worm:
W32/Nyxem.D is an email worm. The worm will infect Windows systems and spreads through email and Network Shares.
The infected email carries a spoofed 'From' address picked up randomly from the infected system.
The subject of the infected mail will be any one of the following;
*Hot Movie* Fw: DSC-00465.jpg Fw: Funny :) A Great Video Fw: Picturs Fw: SeX.mpg Fw: Sexy Fw: Real show Fwd: Crazy illegal Sex! Fwd: Photo Fwd: image.jpg give me a kiss My photos Miss Lebanon 2006 Part 1 of 6 Video clipe School girl fantasies gone bad Photos
The body of the infected mail will be any one of the following;
>> forwarded message Fuckin Kama Sutra pics forwarded message attached. Helloi attached the details. Hot XXX Yahoo Groups how are you? hello, i send the details. i send the file. It's Free :) i just any one see my photos. Please see the file. Re: Sex Video Note: forwarded message attached. You Must View This Videoclip! ready to be FUCKED ;) The Best Videoclip Ever the file i send the details Thank you VIDEOS! FREE! (US$ 0,00) What?
The infected attachment will be any one of the following;
007.pif 677.pif 392315089702606E-02,.scR Arab sex DSC-00465.jpg Adults_9,zip.sCR ATT01.zip.sCR Clipe,zip.sCr document.pif Attachments[001],B64.sCr DSC-00465.pIf eBook.pdf DSC-00465.Pif image04.pif New Video,zip New_Document_file.pif photo.pif eBook.PIF School.pif SeX,zip.scR Sex.mim Video_part.mim Photos,zip.sCR WinZip.BHX WinZip.zip.sCR WinZip,zip.scR Word.zip.sCR Word XP.zip.sCR
The worm also arrives in the encoded format with the following file extension:
.b64
.bhx
.hqx
.uu
.uue
Upon execution of the infected attachment, the worm copies itself as scanregw.exe in the Windows System folder.
It also drops the following files;
winzip_tmp.exe and Rundll16.exe in Windows folder. Update.exe, Winzip.exe, sample.zip and winzip_tmp.exe in Windows System folder.
The worm modifies registry at the following location to load itself during each startup.
The worm mails itself to these addresses using its own SMTP engine.
It tries to disable some of the security related software.
It disables Mouse and Keyboard of the infected computer.
The worm carries a payload, which will be triggered on 3rd of every month.
It alters all files having the following extensions in the compromised
computer.
This Worm is also known as KamaSutra, CME-24, W32.Blackmal.E@mm, Email-Worm.Win32.Nyxem.e, Win32.Blackmal.F, W32/MyWife.d@MM, W32/MyWife.d@MM!M24, W32/Nyxem-D, WORM_GREW.A.
Proland
Software is the developer of Protector Plus range of antivirus software
packages. Protector Plus 2008 is available for Windows Vista, Windows 95/98/Me, Windows
XP, Windows NT/2000/2003 servers and workstations, MS-Exchange 2000/2003, MS-DOS
and NetWare servers.
Protector Plus range of antivirus products
offer on-line virus detection and removal. All the packages have the ability
to detect and isolate all types of viruses, trojans, worms and other types
of malware.
Protector Plus antivirus software can detect and remove W32/Nyxem.D Worm reliably.
These products are updated on a continuous basis and the latest upgrades
for all the platforms are made available for downloading from this site.
About
Protector Plus Antivirus Software Packages:
*Hot Movie*