Slashdot Mirror

← Back to Stories (view on slashdot.org)

Clock Ticking for Nyxem Virus

Posted by Hemos on from the cue-jeopardy-theme-song dept.

DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem virus. On February 3rd, common documents such as MS Word, Excel or Powerpoint will be overwritten on infected machines. Over 300,000 machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."

21 of 72 comments (clear)

  1. Who out there stilll doesn't get it? by TripMaster+Monkey · · Score: 2, Insightful

    From TFA:
    Nyxem is thought to have caught out many people by promising porn to those who open the attachments on e-mail messages carrying the virus.
    Honestly, are there still computer users out there...even regular users...who don't know this is a bad idea by now???
    --
    ____

    ~ |rip/\/\aster /\/\onkey

    1. Re:Who out there stilll doesn't get it? by Anonymous Coward · · Score: 2, Funny

      Yes. Hopefully this will stop them from continuing to be idiots.

    2. Re:Who out there stilll doesn't get it? by Fred+Or+Alive · · Score: 4, Insightful

      As 's elections show, there's an unlimited supply of stupid people in the world.

      --
      10 PRINT "LOOK AROUND YOU ";
      20 GOTO 10
    3. Re:Who out there stilll doesn't get it? by sepelester · · Score: 2, Insightful

      "Hey,I'm at work. I don't care. The IT guy will take care of it if it's a virus" is still a common way of dealing with the problem.

    4. Re:Who out there stilll doesn't get it? by sqlrob · · Score: 5, Insightful

      Wow what an optimist.

      Melissa didn't do it.
      Love didn't do it
      MyDoom didn't do it.

      Why do you think this will?

  2. Seems fair enough to me by Threni · · Score: 4, Funny

    Darwin's virus, you could call it. As long as it disables their internet access too, I don't see the problem.

    1. Re:Seems fair enough to me by TripMaster+Monkey · · Score: 4, Informative

      As long as it disables their internet access too, I don't see the problem.

      Unfortunately, that is the problem....it's not going to disable internet access, as that would impair its ability to propogate.

      From F-Secure:
      The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares.
      And from E-Security Planet:
      Worm-Nyxem-E propagates via email. It sends a copy of itself using its own Simple Mail Transfer Protocol (SMTP) server. Having its own SMTP server allows it to send email messages without relying on email application like Microsoft Outlook.

      --
      ____

      ~ |rip/\/\aster /\/\onkey

  3. The motive? by antifoidulus · · Score: 5, Interesting

    From the article:"It shows a certain intelligence in its design but what's the motive?" he asked, "Pure vandalism does not ring true these days."

    Maybe economic chaos? The virus goes after MS Office files and pdfs, the files that are 9/10 the most economically valuable on a PC. I wonder what the impact of getting rid of massive amounts of these files would be?
    On the plus side, lazy grad students can now say, "The virus ate my thesis" :P

    --
    Monstar L
    1. Re:The motive? by dheltzel · · Score: 4, Insightful
      Maybe economic chaos? The virus goes after MS Office files and pdfs, the files that are 9/10 the most economically valuable on a PC. I wonder what the impact of getting rid of massive amounts of these files would be?

      Think of it as a long overdue purge of useless and redundant data on the systems of people who can't be bothered to learn a little about how their computer works or even listen to warning from people who do know a bit. Sort of a way of killing off all the stupid ideas and worthless information before they can do any more harm.

      I know that seems harsh, but the only way I learned how crucial backups are was due to some loss of data (personal, fortunately, not the kind that gets you fired). That lesson has remained fresh in my mind for nearly 20 years. If someone survives an attack without great loss, they are more inclined to be complacent about the next threat. If they do lose something of value, they will consider how to reduce their risk in the future (tested backups, run Linux, don't click on email attachments without caution, etc.).

    2. Re:The motive? by Zocalo · · Score: 3, Interesting
      That's kind of what I was thinking too, what with the reported increase in on-line extortion of the "pay us money or suffer a DDoS" type and all. You could mass mail some destructive worm like Nyxem, see which IPs phoned home to report an infection, and if see evidence of a signicant outbreak in a big network offer to disable the thing via it's control channel for a "small" fee. It's getting a little close to the wire for effective blackmail based around Nyxem though, unless such attempts have not been made public of course...

      I have to admit I've been kind of hoping for something like Nyxem that wipes out data would come along for a while now. After all the mainstream media coverage of such worms and trojans, all of which have preached the "don't click on the attachment" line, there is simply no excuse for this kind of thing. Sure, there's not a lot that the less IT aware members of the population are going to be able to do about a 0-day exploit like the recent GDI vulnerability, but a mass-mailing and P2P worm? It's harsh, but I think that losing all their documents is the only way that the IT security message is going to reach some people, and if that wakes them up to more involved stuff as well, then so much the better.

      --
      UNIX? They're not even circumcised! Savages!
    3. Re:The motive? by HaydnH · · Score: 2, Funny

      "On the plus side, lazy grad students can now say, "The virus ate my thesis" :P"

      So Holmes, you're saying the culprit is a CS grad student with a project due in on the 4th of February?

      Elementary, my dear Watson...

      --
      Time is an illusion. Lunchtime doubly so. - Douglas Adams
  4. av precautions by AndyST · · Score: 3, Insightful

    I'd fancy a virus overwriting common software such as MS Word, Excel or Powerpoint.

    Jokes aside. A colleague wrote to the department to look out for the virus, backup all documents, bla bla.. I replyed, being the one who installed the av software, that updates are run hourly and that everybody is safe if they apply the same precautions which they usually (should) do.

    So who is right? Me or the colleague who eventually said that my reply to all was conterproductive?

    1. Re:av precautions by OzPeter · · Score: 2

      I would say that you are technically correct, but by doing a reply all that invalidated your colleagues original email, he feels like you smacked him down, ie that your reply also invalidated *him*.

      People are funny like that. No matter how valid your reply is, they take it personlly when you point out that they are wrong.

      I once got a corporate wide email from some guy in some department somewhere, that was telling us to be aware of people calling you on the phone and asking us to punch in a series of digits on the phones keypad, as that would allow the caller to pwn your long distance calling. This was straight up urban legend and 2 minutes on google found me the AT&T page explaining why that was a crock. I emailed this back to the original email writer pointing it out, and he replied that I apparently " .. had too much time on my hands"

      --
      I am Slashdot. Are you Slashdot as well?
    2. Re:av precautions by AntiDragon · · Score: 3, Insightful

      That's a loaded question! Woo...

      Depends on the reliability of your AV and how well it's monitored (i.e. Can you identify any non-protected machines quickly) as the Virus attempts to disable AV software. Remember - there's always a nice window of opportunity between a virus doing the rounds and your AV software being updated to detect it. In this specific example, it'd only need one infected machine with access to some general shares to cause havoc come Feburary 3rd. Just one machine. AV won't stop a standard "Delete" command coming from an authenticated workstation.

      You're very likely perfectly safe. But never assume anything... :D

      As regards to backup, well, I'd never let users be responsible for backups anyway. That should be taken care of automatically - either to tape or secure off-site server storage (and preferably non-windows based) on a very regular basis. Relying on users for any part of data security is A Bad Thing (TM). It's not their fault, but they inverably make dangerous and costly mistakes.

      Besides, you just *know* that their gonna copy the contents of their home directories to their workstation harddrives and then wonder how their files got deleted from both locations anyway....

      Damn, I'm cynical on a Monday!

      --
      "...So I hung back and lurked. For 18 months. Can't beat a good old-fashioned lurking."
    3. Re:av precautions by csirac · · Score: 2, Informative

      Backing up is incredibly easy compared to the loss of your data.

      Never put all your eggs in one basket. Trusting that "nothing bad will happen", trusting 3rd-party band-aids like virus scanners and patches only makes you unnecessarily vulnerable.

      Not backing up because you don't believe you will ever need it is just as bad as never patching or never updating your virus scanner, because you believe for some reason you'll never get a virus.

      It's incredibly easy to do, there are so many circumstances which can lead to the need for restoring from them, and there's nothing worse than that feeling of "how on earth did I end up with no good backup of my incredibly important data I can't afford to lose".

      And yes, I do speak from experience...

    4. Re:av precautions by andrewmc · · Score: 4, Insightful
      So who is right? Me or the colleague who eventually said that my reply to all was conterproductive?
      I'd agree with your colleague on two points: 1) Telling people not to worry about computer security is just plain wrong. Users need to have it in the backs of their mind that while you are indeed trying to protect them, that relying solely on that is an accident waiting to happen. 2) Suppose an infected machine does make it onto your network? Since the virus can destroy files on remote network shares, it is, as I understand it, still possible data loss can occur on remote machines that are "immune" to the virus.
  5. Is it really as widespread as claimed? by prefect42 · · Score: 3, Insightful

    We've had all sorts of warnings about this bugger, but I've yet to actually see an infected machine.

    Is this just hysteria whisked up by the AV vendors?

    --

    jh

  6. Hurry, before it's too late! by ticklejw · · Score: 5, Funny

    Now's a great time for porn-enjoying Windows users to switch to Linux! All the fun of free Internet porn with none of the viral infection.

    --
    "Software is like sex; it's better when it's free." -Linus Torvalds
    1. Re:Hurry, before it's too late! by Lysdexic2 · · Score: 2, Funny

      So, let me get this straight. I used to just have to worry about viral infections with real sex. Now I have to worry about infections with Internet sex as well? Where's it going to stop. Thinking about sex makes your palm pilot explode?

  7. Please be specific by Princeofcups · · Score: 3, Informative

    DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem *Microsoft Windows* virus. On February 3rd, common *Microsoft format* documents such as MS Word, Excel or Powerpoint will be overwritten on infected *Microsoft Windows* machines. Over 300,000 *Microsoft Windows* machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."

    jfs

    --
    The only thing worse than a Democrat is a Republican.
  8. Missing the point by Joiseybill · · Score: 3, Informative

    This virus is very likely a POC and an advance guard to hold doors open for future infection or botnets.
    As stated by others already, LURHQ has distribution stats. http://www.lurhq.com/blackworm.html US infections only number about 5% of total. Peru and India have most of the worldwide population of this. (this is ip-based, and may not be reliable.)
    I haven't seen another mention, but SANS Storm Center has been following this - and actually has made an offer to sysadmins to share info. They limit the info they will give; if you can reasonably establish that you are the RP for a network or subnet - they will send you a list of known infections in your IP range. They have already sent out notice messages to admins of record (whomever the abuse or tech contact is currently on the whois lookup) using a script. [Check the ISC pages if you really want to know - I don't want to flood them by posting a direct email link here.]
    Referred to in the SANS/ISC history on this http://isc.sans.org/blackworm and previous pages - Fortinet has done extensive analysis. This virus has several actions. Most folks already know it deletes files, breaks AV software, and spreads over Windows shares. What hasn't seen much daylight is that it drops a bunch registry entries that grant "trusted" status to the virus. http://www.fortinet.com/VirusEncyclopedia/search/e ncyclopediaSearch.do?method=viewVirusDetailsInfoDi rectly&fid=119856 I'm not an expert on this mechanism - but I'd assume that any machine with these "bad" trusts in place could easily be compromised later using code that is authenticated against these bad keys.
    I read M$' page on this virus, http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife.E%40mm as well as a few AV pages. None mention these keys, so I would assume they don't fix this problem.
    Any system that has been infected and then cleaned will probably retain these falsified certificates. This leaves a big hole in place, while some users (even the " all your AV is updated hourly folks.. return to your seats" IT guy) - will have a false sense of security on this.
    Thankfully, many AV programs discovered this virus Heuristically. (see links to LURHQ & others) McAfee, Panda, NOD32, and several others identified blocked this virus without needing a signature update. This may be why we don't have 2 million AOL/Comcast sheep spreading the virus.
    This should serve as a strong reminder to backup religiously, use defense-in-depth, and enforce strong registry policies when Windows systems are implemented.