Google
 

Sunday, May 20, 2007

Virus Description - W32.Blackmal.E@mm

Created: 27/01/06

  • CME-24,
  • Win32.Blackmal.F [Computer Associates],
  • Email-Worm.Win32.Nyxem.e [F-Secure],
  • Email-Worm.Win32.Nyxem.e [Kaspersky],
  • W32/MyWife.d@MM [McAfee],
  • W32/MyWife.d@MM!M24 [McAfee],
  • W32/Small.KI@mm [Norman],
  • Tearec.A [Panda Software],
  • W32/Nyxem-D [Sophos]
  • WORM_GREW.{A, B} [Trend Micro]
Description

W32.Blackmal.E@mm is a mass-mailing worm that tries to spread on networks using open network shares and on the third of each month this virus deletes data files such as Word documents and Excel spreadsheets.
The 'From' line of the email is spoofed (faked), and its Subject line and message body of the email vary, but tend to be of a 'sexual' nature. The attachment varies but often appears to be a 'zip' file.

Damage

Spreads, clogs email servers, generates False Alarms, attacks anti-virus programs and deletes Word documents, Excel files, Powerpoint presentations, Access Databases, Zips, RARs and Photoshop files on the third of the month. The virus also attacks anti-virus and security software installed on your computer (which is a common feature of modern viruses).
On the 3rd of each month, 30 minutes after the victim
computer is rebooted, the worm will overwrite (destroy) files
with the following extensions:

  • doc
  • xls
  • mdb
  • mde
  • ppt
  • pps
  • zip
  • rar
  • pdf
  • psd
  • dmp

Files corrupted by the worm contain the following text:
DATA Error [47 0F 94 93 F4 F5]
It is capable of disabling the mouse and keyboard of an affected system.
May reduce security on your PC.

Occurrence

Blackmal.E has been seen several times on campus - Symantec AntiVirus is recognising it and is stopping it (providing your 'virus definitions' are dated later than 17/01/06 .

Advice

Do not read suspicious email. Do not open the attachments with the above names or any unknown attachments. Keep Windows (& Outlook) up-to-date - see Updating Windows. And do not forward warnings to the apparent sender because the apparent sender is NOT the real sender.

Detecting Blackmal.E

An up-to-date copy of Symantec/Norton AntiVirus should detect and prevent infection from Blackmal.E. If you do not have Symantec/Norton AntiVirus and you are worried that you may have infected computer, you could run an online virus check or contact the Student Help Desk in the Library.

Cleaning Blackmal.E

Use the tool from Symantec: Blackmal Removal Tool.
Further Information
For further info about Blackmal.E:

  • Symantec on W32.Blackmal.E@mm
  • Trend on 'WORM_GREW.A' (w32.Blackmal.E@mm)

Your Ad Here