internetinspiration logo
             
Home Internet Guides Privacy & Security Must have software Internet Shopping Earn Money Fun & Games Freebies

Privacy & Security
Blackworm / Mywife / Nyxem / Kama sutra

A virus first descovered in January 2006 brought a level of panic not seen for a few years, which included worldwide television news reports of a virus initially portrayed as a potential doomsday as it would delete files in an infected computer on the 3rd of each month, and disable your anti-virus software to prevent it being detected and deleted. Fortunately the virus was no where near as devastating as the hype surrounding it,

False Blackworm infection Warnings

The high public awareness of this worm is now being exploited by the rogue winfixer application which issues false Blackworm infection warnings to trick you into buying the Winfixer or Winantivirus scanner to remove it. This page is about the actual Blackworm virus, if you are receiving pop up warnings saying you are infected with Blackworm, see Here for more information and removal instructions.

Facts about the Blackworm virus.

It is not a new virus, it is a slightly amended version of the Mywife virus that was first reported back in March 2004.

At the point of infection, the worm will connect to this website http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247.

The page displays a 'hit counter' apparently to show the number of infected machines. It is the number of infections that caused alarm and panic, but it should not be taken seriously.

The counter is very inaccurate as it records 'hits' as opposed to unique visitors, it also appears to have been hit with a DoS attack as many hits have been recorded from one IP address and despite the counter currently showing several million, anti-virus vendors and help forums are reporting no, or very few infections.

Some of the anti-virus software this virus seeks to delete are old versions, PC-cillin 2002, PC-cillin 2003 and Panda Antivirus 6.0 for example.

ISP's are collectively blocking delivery of these emails, none are reporting any significant number. This is not the expected effect of millions of infected PC's all trying to send out emails to every address the virus finds

Despite the level of infections being grossly exaggerated and consequently the level of hysteria is unwarranted, this one exists purely for destructive purposes, with business networks at most risk of loosing important documents.

So in the interests of creating further public awareness (The best defence we have), here is the run down on the virus and removal instructions should you need them.

Whilst it may sound quite scary, remember - In order to infect a PC, the user must be logged on as an administrator and open the email attachment,

The subject and body of the email will be made up from strings of the following.

A Great Video
Arab sex DSC-00465.jpg
begin 664
bye
eBook.pdf
>> forwarded message
----- forwarded message -----
forwarded message attached
F**kin Kama Sutra pics
Fw:
Fwd: Crazy illegal Sex!
Fw: DSC-00465.jpg
Fw: Funny :)
Fwd: image.jpg
Fw: Picturs
Fwd: Photo
Fw: Real show
Fw: Sexy
give me a kiss
Hello
hello,
*Hot Movie*
Hot XXX Yahoo Groups
how are you?
i attached the details.
i just any one see my photos.
i send the details
i send the file.
It's Free :)
Miss
Miss Lebanon 2006
My photos
Note: forwarded message attached.
Part 1 of 6 Video clipe
Photos
Please see the file.
ready to be F**KED ;)
Re:
Re: Sex Video
School girl fantasies gone bad
Thank you
The Best Videoclip Ever
the file
VIDEOS! FREE! (US$ 0,00)
What?
Word file
You Must View This Videoclip!

As the attachment drops in the worm, the PC will appear to freeze as the keyboard and mouse will have no function, the only way out is to restart the PC.
It will add a registry key to ensure it runs each time the computer is started. Blackworm will attempt to connect to Microsoft and Yahoo to determine if there is an internet connection. It will then connect to http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247, to record the infection on the hit counter. The virus uses Active X controls to help achieve connectivity to the internet.

Blackworm will set about protecting itself by deleting a large number of files and registry keys associated with the following programmes -

Avast4 anti-virus software.
AVG7 anti-virus software.
Bearshare PSP file sharing program.
Computer Associates Anti-virus software
Kaspersky anti-virus software.
Limewire P2P file sharing program.
Mcafee Security center, anti-virus, Personal firewall and Online scan
Morpheus File sharing program.
Norton Security center and Anti-virus corporate edition.
Panda 6 Anti-virus software.
Trend-Micro Firewall, anti-virus, Online and Email scanners

The virus will also close all Windows as they open that contain any of the following words in its title or description.
FIX
KASPERSKY
MCAFEE
NORTON
REMOVAL
SCAN
SYMANTEC
TREND MICRO
VIRUS

When the PC's clock/date displays the 3rd of each month, beginning 3rd February 2006, 30 minutes after starting up the PC it will search the computers Hard drive and overwrite all files with the following extensions, with an error message: 'DATA Error [47 0F 94 93 F4 K5]' -
.doc
.mdb
.mde
.ppt
.pps
.zip
.rar
.pdf
.psd
.dmp
.xls

This is of particular concern to businesses as all Microsoft Word, Excel and PowerPoint documents will be destroyed.

Blackworm will try to spread by sending emails to addresses gathered from the infected PC, and through network shares or active desktops.

Manual detection and removal of this malware is hampered because the worm disguises the file extensions to some of its files by creating file names like WinZip,zip it then creates a random number of blank spaces before showing its real file extension of .src.
So in most windows you would see a file name of WinZip,zip as opposed to its actual file name of WinZip,zip.src

Note it uses names of legitimate programmes to further confuse the issue.

The worm will also check its files and  registry keys every hour to replace anything that has been removed.

How do you protect yourself?
The easiest way not to get infected is by not opening the attachment should you receive an email.
Make sure your Windows Operating system and security software is fully updated, in particular any that scan your emails prior to opening them.

How do you know if you are infected?
A new icon may appear on your desktop, this can either be a zipped folder or one very similar to the WinZip program.
Your firewall may detect attempts to connect to Microsoft.com, Yahoo and webstats.web.rcn.net

The following processes may also show in your task Manager. (Right click on a blank part of the toolbar across the bottom of the screen and select task Manager. Then click on the processes tab)
scanregw.exe
rundll16.exe
Winzip.exe
Update.exe


How do I recover if I am infected?
The following are not targeted by the virus so should be able to run, detect and clean your system
Ewidow. A free trial is available, compatible with Windows 2000 and XP only.
Bit defender. A free version and free online scan is available.
Pest Patrol Commercial malware scanner.

The following companies have specific removal tools.
Sophos
Symantec.

Before running any of the above programmes, physically disconnect the PC from the internet by unplugging the cable from the telephone socket and isolate all PC's in a network. Each computer on the network will need to be cleaned individually.

You may need to reinstall security software and the WinZip program if it was installed, following removal of the virus.

Manual removal (if preferred).
Warning, deleting the wrong files or registry keys could render your PC unstable or inoperable. If you choose to proceed it is at your own risk.

In safe mode, physically disconnect your computer from the internet by removing the cable into the telephone socket and isolate PC's on a network. Each computer on the network will need to be cleaned individually.

Open the command prompt window from Start > programmes > Accessories > command prompt.
Type or copy and paste into the black box the following commands, pressing the Enter key after each line, shown as [Enter] After the final path has been entered, type exit and press the Enter key to close the command prompt box.
del C:\WINZIP_TMP.exe      [Enter]

del C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe     [Enter]

del /f /a:h  %windir%\WINZIP_TMP.exe     [Enter]

del /f /a:h  %windir%\system32\Winzip.exe      [Enter]

del /f /a:h  %windir%\system32\Update.exe      [Enter]

del /f /a:h  %windir%\system32\scanregw.exe     [Enter]

exit      [Enter]



Still in safe mode, use regedit (Start > run and type regedit).

Navigate in the left panel to the following registry key.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
and delete scanregistry

navigate in the left panel to the following key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
and delete ShowSuperHidden=0

Restart your computer and run a strong registry/Disk cleaner, I recommend using Ace Utilities

Reconnect to the Internet and Networks.



This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Privacy & Security

Information

E-mail

Viruses

hackers, crackers & firewalls

Trojans

Spyware

Keyloggers

Cookies

BHO's & Hijackers

Drive by downloads

diallers

Scams & Hoaxes

Hijack this-
automatic analysis


Free pest scan

Unwanted processes

How to-Tutorials

Clean up/repair after malware infection

Prevent malware installing

Install Hijackthis

Start in Safe mode

Show hidden files/folders

enable/disable Active X controls

Disable Messenger service pop-ups

Use the Host file

Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool


Kill E2Give

Kill MySearch

Kill Sdbot-ADD / lockx.exe

Kill seeve.exe / mediamotors pop ups

Kill Winfixer2005

Kill SysProtect

News/Articles

The hype and Facts about the February 3rd attacks

The real cost of Free security software

About us Contact us FAQ Links Privacy Statement Site Map Webmasters
Click here to add this page to your favorites
©Internet Inspiration, 2003.      All registered trademarks are observed and respected.
If you receive advertising pop ups whilst viewing this site, you are infected with an ad-serving parasite, because we don't use pop ups. See our Privacy & security section for help with detection and removal.