Educause Security Discussion mailing list archives

FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3

From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 30 Jan 2006 12:21:51 -0500

As I mentioned on the conference call, we have a standard template for our advisories.  This is an example with the 
Blackmal worm.

Jim

________________________________

From: owner-ritstaff () listserver rit edu on behalf of Information Security
Sent: Mon 1/30/2006 11:37 AM
To: ritstaff () listserver rit edu
Subject: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on 
Windows PCs on Feb. 3

RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs

Why am I receiving this message?

There are reports of a new worm that is infecting Windows PCs. The worm is programmed to delete user files on February 
3rd and the 3rd of each month thereafter. The actual spread of the worm is unclear at this time, but the impact on 
individual PCs could be quite high.

*        The worm is known by a number of names including Nyxem, MyWife, Blackmal, Grew, KillAV, BlackWorm and Kama 
Sutra.  

*        The worm requires user interaction to spread. The user must open the file.

*        The worm is spread primarily through e-mail attachments. It will also spread through network shares. The 
e-mails entice users with subject lines such as:

1.            The Best Videoclip Ever

2.            School girl fantasies gone bad

3.            A Great Video

*        The worm will attempt to disable most anti-virus products and delete them. The worm will e-mail itself using a 
variety of extensions and file names. It will add itself to the list of auto-start programs in your registry. 

*        The following file types will be overwritten by the virus on local drives: DOC, XLS, MDE, MDB, PPT, PPS, RAR, 
PDF, PSD, DMP, and ZIP. 

*        The worm will attempt to spread through network shares.

*        The worm may disguise itself as a WinZip file. However, the file extension (.zip) is not present.

What is RIT doing to protect my computer?

McAfee VirusScan 8.0i is freely available to all faculty, staff and students at 
http://www.rit.edu/its/services/security/ and detects the malware. McAfee VirusScan (with up-to-date virus definitions) 
will often protect against threats like the ones mentioned above. 

The ITS Brightmail/MySpam anti-spam service will block the incoming worm on ITS-supported mail servers. However, this 
will not protect home users or users of other mail servers.

What can I do to protect myself?

To protect yourself against malware that spreads through user interaction, remember the following: 

*        Keep your Anti-Virus software updated with the most current patches and virus definitions. (Look for your 
McAfee, Norton, or other antivirus icon in the system tray.)

*        As always, exercise care when opening unexpected attachments or links.

*        This particular threat masquerades as a WinZip file by displaying the WinZip file icon without the WinZip 
extension. Display file extensions by going to the Folder Options control panel, selecting the View tab, and 
deselecting "Hide extensions for known file types." Be careful about opening WinZip files you have received since 
January 15.

*        Backup important user files before February 3rd. If you need assistance backing up files, contact your 
appropriate support staff.

For more information:

You can read more about this new threat at:

http://www.us-cert.gov/current/current_activity.html#nyxemworm

http://isc.sans.org/blackworm

http://www.f-secure.com/v-descs/nyxem_e.shtml

http://www.pcworld.com/news/article/0,aid,124449,00.asp

For information on this and other threats visit http://security.rit.edu <http://security.rit.edu/>  or contact:

Jim Moore, CISSP, IAM

Information Security Officer

Rochester Institute of Technology

13 Lomb Memorial Drive

Rochester, NY 14623-5603

(585) 475-5406 (office)

(585) 475-7950 (fax)

Ben Woelk 
Information Security Office
Rochester Institute of Technology
Ross Building, 10-A200
151 Lomb Memorial Drive 
Rochester, NY 14623

585-475-4122
fbwis () rit edu

http://security.rit.edu

Current thread:

FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3 James H Moore (Jan 30)
- <Possible follow-ups>
- Re: FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3 James H Moore (Jan 30)