Clock Ticking for Nyxem Virus

DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem virus. On February 3rd, common documents such as MS Word, Excel or Powerpoint will be overwritten on infected machines. Over 300,000 machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."

Re:Seems fair enough to me

[TripMaster+Monkey]

As long as it disables their internet access too, I don't see the problem.

Unfortunately, that is the problem....it's not going to disable internet access, as that would impair its ability to propogate.

From F-Secure:

The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares.

And from E-Security Planet:

Worm-Nyxem-E propagates via email. It sends a copy of itself using its own Simple Mail Transfer Protocol (SMTP) server. Having its own SMTP server allows it to send email messages without relying on email application like Microsoft Outlook.

Re:av precautions

[csirac]

Backing up is incredibly easy compared to the loss of your data.

Never put all your eggs in one basket. Trusting that "nothing bad will happen", trusting 3rd-party band-aids like virus scanners and patches only makes you unnecessarily vulnerable.

Not backing up because you don't believe you will ever need it is just as bad as never patching or never updating your virus scanner, because you believe for some reason you'll never get a virus.

It's incredibly easy to do, there are so many circumstances which can lead to the need for restoring from them, and there's nothing worse than that feeling of "how on earth did I end up with no good backup of my incredibly important data I can't afford to lose".

And yes, I do speak from experience...

Please be specific

[Princeofcups]

DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem *Microsoft Windows* virus. On February 3rd, common *Microsoft format* documents such as MS Word, Excel or Powerpoint will be overwritten on infected *Microsoft Windows* machines. Over 300,000 *Microsoft Windows* machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."

jfs

Missing the point

[Joiseybill]

This virus is very likely a POC and an advance guard to hold doors open for future infection or botnets.
As stated by others already, LURHQ has distribution stats. http://www.lurhq.com/blackworm.html US infections only number about 5% of total. Peru and India have most of the worldwide population of this. (this is ip-based, and may not be reliable.)
I haven't seen another mention, but SANS Storm Center has been following this - and actually has made an offer to sysadmins to share info. They limit the info they will give; if you can reasonably establish that you are the RP for a network or subnet - they will send you a list of known infections in your IP range. They have already sent out notice messages to admins of record (whomever the abuse or tech contact is currently on the whois lookup) using a script. [Check the ISC pages if you really want to know - I don't want to flood them by posting a direct email link here.]
Referred to in the SANS/ISC history on this http://isc.sans.org/blackworm and previous pages - Fortinet has done extensive analysis. This virus has several actions. Most folks already know it deletes files, breaks AV software, and spreads over Windows shares. What hasn't seen much daylight is that it drops a bunch registry entries that grant "trusted" status to the virus. http://www.fortinet.com/VirusEncyclopedia/search/e ncyclopediaSearch.do?method=viewVirusDetailsInfoDi rectly&fid=119856 I'm not an expert on this mechanism - but I'd assume that any machine with these "bad" trusts in place could easily be compromised later using code that is authenticated against these bad keys.
I read M$' page on this virus, http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife.E%40mm as well as a few AV pages. None mention these keys, so I would assume they don't fix this problem.
Any system that has been infected and then cleaned will probably retain these falsified certificates. This leaves a big hole in place, while some users (even the " all your AV is updated hourly folks.. return to your seats" IT guy) - will have a false sense of security on this.
Thankfully, many AV programs discovered this virus Heuristically. (see links to LURHQ & others) McAfee, Panda, NOD32, and several others identified blocked this virus without needing a signature update. This may be why we don't have 2 million AOL/Comcast sheep spreading the virus.
This should serve as a strong reminder to backup religiously, use defense-in-depth, and enforce strong registry policies when Windows systems are implemented.