Privacy & Security
Blackworm / Mywife / Nyxem / Kama sutra
A virus first descovered in January 2006 brought a level of panic not seen for a few years, which included worldwide television news reports of a virus initially portrayed as a potential doomsday as it would delete files in an infected computer on the 3rd of each month, and disable your anti-virus software to prevent it being detected and deleted. Fortunately the virus was no where near as devastating as the hype surrounding it,
|
False Blackworm infection Warnings The high public awareness of this worm is now being exploited by the rogue winfixer application which issues false Blackworm infection warnings to trick you into buying the Winfixer or Winantivirus scanner to remove it. This page is about the actual Blackworm virus, if you are receiving pop up warnings saying you are infected with Blackworm, see Here for more information and removal instructions. |
It is not a new virus, it is a slightly amended version of the Mywife virus that was first reported back in March 2004.
At the point of infection, the worm will connect to this website http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247.
The page displays a 'hit counter' apparently to show the number of infected machines. It is the number of infections that caused alarm and panic, but it should not be taken seriously.
The counter is very inaccurate as it records 'hits' as opposed to unique visitors, it also appears to have been hit with a DoS attack as many hits have been recorded from one IP address and despite the counter currently showing several million, anti-virus vendors and help forums are reporting no, or very few infections.
Some of the anti-virus software this virus seeks to delete are old versions, PC-cillin 2002, PC-cillin 2003 and Panda Antivirus 6.0 for example.
ISP's are collectively blocking delivery of these emails, none are reporting any significant number. This is not the expected effect of millions of infected PC's all trying to send out emails to every address the virus finds
Despite the level of infections being grossly exaggerated and consequently the level of hysteria is unwarranted, this one exists purely for destructive purposes, with business networks at most risk of loosing important documents.
So in the interests of creating further public awareness (The best defence we have), here is the run down on the virus and removal instructions should you need them.
Whilst it may sound quite scary, remember - In order to infect a PC, the user must be logged on as an administrator and open the email attachment,
The subject and body of the email will be made up from strings of the following.
| A Great Video Arab sex DSC-00465.jpg begin 664 bye eBook.pdf >> forwarded message ----- forwarded message ----- forwarded message attached F**kin Kama Sutra pics Fw: Fwd: Crazy illegal Sex! Fw: DSC-00465.jpg Fw: Funny :) Fwd: image.jpg Fw: Picturs Fwd: Photo |
Fw: Real show Fw: Sexy give me a kiss Hello hello, *Hot Movie* Hot XXX Yahoo Groups how are you? i attached the details. i just any one see my photos. i send the details i send the file. It's Free :) Miss Miss Lebanon 2006 My photos |
Note: forwarded message attached. Part 1 of 6 Video clipe Photos Please see the file. ready to be F**KED ;) Re: Re: Sex Video School girl fantasies gone bad Thank you The Best Videoclip Ever the file VIDEOS! FREE! (US$ 0,00) What? Word file You Must View This Videoclip! |
As the attachment drops in the worm, the PC will appear to freeze as the keyboard and mouse will have no function, the only way out is to restart the PC.
It will add a registry key to ensure it runs each time the computer is started. Blackworm will attempt to connect to Microsoft and Yahoo to determine if there is an internet connection. It will then connect to http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247, to record the infection on the hit counter. The virus uses Active X controls to help achieve connectivity to the internet.
Blackworm will set about protecting itself by deleting a large number of files and registry keys associated with the following programmes -
Avast4 anti-virus software.
AVG7 anti-virus software.
Bearshare PSP file sharing program.
Computer Associates Anti-virus software
Kaspersky anti-virus software.
Limewire P2P file sharing program.
Mcafee Security center, anti-virus, Personal firewall and Online scan
Morpheus File sharing program.
Norton Security center and Anti-virus corporate edition.
Panda 6 Anti-virus software.
Trend-Micro Firewall, anti-virus, Online and Email scanners
The virus will also close all Windows as they open that contain any of the following words in its title or description.
FIX
KASPERSKY
MCAFEE
NORTON
REMOVAL
SCAN
SYMANTEC
TREND MICRO
VIRUS
When the PC's clock/date displays the 3rd of each month, beginning 3rd February 2006, 30 minutes after starting up the PC it will search the computers Hard drive and overwrite all files with the following extensions, with an error message: 'DATA Error [47 0F 94 93 F4 K5]' -
.doc
.mdb
.mde
.ppt
.pps
.zip
.rar
.psd
.dmp
.xls
This is of particular concern to businesses as all Microsoft Word, Excel and PowerPoint documents will be destroyed.
Blackworm will try to spread by sending emails to addresses gathered from the infected PC, and through network shares or active desktops.
Manual detection and removal of this malware is hampered because the worm disguises the file extensions to some of its files by creating file names like WinZip,zip it then creates a random number of blank spaces before showing its real file extension of .src.
So in most windows you would see a file name of WinZip,zip as opposed to its actual file name of WinZip,zip.src
Note it uses names of legitimate programmes to further confuse the issue.
The worm will also check its files and registry keys every hour to replace anything that has been removed.
How do you protect yourself?
The easiest way not to get infected is by not opening the attachment should you receive an email.
Make sure your Windows Operating system and security software is fully updated, in particular any that scan your emails prior to opening them.
How do you know if you are infected?
A new icon may appear on your desktop, this can either be a zipped folder or one very similar to the WinZip program.
  |
The following processes may also show in your task Manager. (Right click on a blank part of the toolbar across the bottom of the screen and select task Manager. Then click on the processes tab)
scanregw.exe
rundll16.exe
Winzip.exe
Update.exe
How do I recover if I am infected?
The following are not targeted by the virus so should be able to run, detect and clean your system
Ewidow. A free trial is available, compatible with Windows 2000 and XP only.
Bit defender. A free version and free online scan is available.
Pest Patrol
The following companies have specific removal tools.
Sophos
Symantec.
Before running any of the above programmes, physically disconnect the PC from the internet by unplugging the cable from the telephone socket and isolate all PC's in a network. Each computer on the network will need to be cleaned individually.
You may need to reinstall security software and the WinZip program if it was installed, following removal of the virus.
Manual removal (if preferred).
Warning, deleting the wrong files or registry keys could render your PC unstable or inoperable. If you choose to proceed it is at your own risk.
In safe mode, physically disconnect your computer from the internet by removing the cable into the telephone socket and isolate PC's on a network. Each computer on the network will need to be cleaned individually.
Open the command prompt window from Start > programmes > Accessories > command prompt.
Type or copy and paste into the black box the following commands, pressing the Enter key after each line, shown as [Enter] After the final path has been entered, type exit and press the Enter key to close the command prompt box.
| del C:\WINZIP_TMP.exe [Enter] del C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe [Enter] del /f /a:h %windir%\WINZIP_TMP.exe [Enter] del /f /a:h %windir%\system32\Winzip.exe [Enter] del /f /a:h %windir%\system32\Update.exe [Enter] del /f /a:h %windir%\system32\scanregw.exe [Enter] exit [Enter] |
Still in safe mode, use regedit (Start > run and type regedit).
Navigate in the left panel to the following registry key.
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
and delete scanregistry
navigate in the left panel to the following key
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\
and delete ShowSuperHidden=0
Restart your computer and run a strong registry/Disk cleaner, I recommend using Ace Utilities
Reconnect to the Internet and Networks.
This information is provided free of charge/subscription/registration and without warranty. All the usual disclaimer jargon applies.
However, if this page has helped resolve your problems without having the expense of taking your PC to a repair shop or the hassle of reformatting, you may like to support our efforts with a small donation towards the maintenance ,further development of this site and the research to create more pages like this for future malware, even £1, $1, €1 can help make sure we are still here should you ever need us again.
Information
Viruses
hackers, crackers & firewalls
Trojans
Spyware
Keyloggers
Cookies
BHO's & Hijackers
Drive by downloads
diallers
Scams & Hoaxes
Hijack this-
automatic analysis
Free pest scan
Unwanted processes
How to-Tutorials
Clean up/repair after malware infection
Prevent malware installing
Install Hijackthis
Start in Safe mode
Show hidden files/folders
enable/disable Active X controls
Disable Messenger service pop-ups
Use the Host file
Roguefix -
Removal tool for Rogue spyware removers & Fake Warnings
removal tool
Kill E2Give
Kill MySearch
Kill Sdbot-ADD / lockx.exe
Kill seeve.exe / mediamotors pop ups
Kill Winfixer2005
Kill SysProtect
News/Articles
The hype and Facts about the February 3rd attacks
The real cost of Free security software
About us Contact us FAQ Links Privacy Statement Site Map WebmastersClick here to add this page to your favorites
©Internet Inspiration, 2003. All registered trademarks are observed and respected.