Nyxem aka Blackmal Worm

You are here : Home→Topics→Latest Threats→Nyxem aka Blackmal Worm

Antivirus Software Essentials
Free Virus Removal Tools Top Windows Antivirus Top Spyware Scanners Top Internet Scams Email Hoaxes and Myths

Antivirus Offers
AntiVirus Coupon AntiVirus Gold Hardware AntiVirus Windows 95 AntiVirus AntiVirus McFee

Topics
Antivirus Reviews Free Antivirus Software Spyware / Adware Latest Threats Internet Scams Security Tips Viruses Explained Types of Viruses

Buyer's Guide
Gifts for Geeks and Gamers Antivirus Software for Windows Security Books for Home Users Antivirus Software Review

links
Related Links Helpful Links

Visitor Focus
Software Free Download Freeware Download Global Info System Matrix Directory Free Antivirus Software

Latest Threats

Nyxem aka Blackmal Worm

Written by lifang

February 20, 2008 15:22

Discovered on January 17, 2006, the Nyxem (also known as Blackmal) worm has a dangerous payload that executes on the 3rd of each month, overwriting files with specific extensions - replacing the data in those files with the following text:

DATA Error [47 0F 94 93 F4 F5]

The targeted extensions are:

The Nyxem worm has several aliases (in fact, no two antivirus vendors seem to agree on a name for this threat). Aliases include: W32/Nyxem-D (Sophos), WORM_GREW.A (Trend Micro), Email-Worm.Win32.VB.bi (Kaspersky), W32/MyWife.d@MM (McAfee), Nyxem.E (F-Secure), W32/Small.KI@mm (Norman), Win32/Blackmal.F (Computer Associates), VB.NEI (Eset), W32.Blackmal.E@mm (Symantec), and Tearec.A (Panda).

In addition, the media and some fringe security groups have nicknamed the worm "Kama Sutra" and/or the "Blackworm".

The Nyxem worm is a mass-mailing email worm that uses a variety of subject lines, some of which are quite provocative. Subject lines include:

The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos

It is the nature of some of the subject lines that led to the nickname, the "Kama Sutra worm". The message body may be equally suggestive. Examples of the Nyxem worm's message body include:

Note: forwarded message attached. You Must View This Videoclip!
>> forwarded message
Re: Sex Video i just any one see my photos.
It's Free :)
The Best Videoclip Ever
Hot XXX Yahoo Groups
Fuckin Kama Sutra pics
ready to be FUCKED ;)
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
What?
i send the file.
Helloi attached the details.
Thank you
the file i send the details
hello,
Please see the file.
how are you?
i send the details.

As with most other worms, Nyxem attempts to disable antivirus and security software found running on impacted systems. Nyxem does so by deleting registry keys and files associated with several popular antivirus and security products, as well as forcibly closing application windows that contain the strings Symantec, Scan, Kaspersky, Virus, McAfee, Trend Micro, Norton, Removal, or Fix in their caption title.