Educause Security Discussion mailing list archives
FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3
From: James H Moore <jhmfa () RIT EDU>
Date: Mon, 30 Jan 2006 12:21:51 -0500
As I mentioned on the conference call, we have a standard template for our advisories. This is an example with the Blackmal worm. Jim ________________________________ From: owner-ritstaff () listserver rit edu on behalf of Information Security Sent: Mon 1/30/2006 11:37 AM To: ritstaff () listserver rit edu Subject: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3 RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs Why am I receiving this message? There are reports of a new worm that is infecting Windows PCs. The worm is programmed to delete user files on February 3rd and the 3rd of each month thereafter. The actual spread of the worm is unclear at this time, but the impact on individual PCs could be quite high. * The worm is known by a number of names including Nyxem, MyWife, Blackmal, Grew, KillAV, BlackWorm and Kama Sutra. * The worm requires user interaction to spread. The user must open the file. * The worm is spread primarily through e-mail attachments. It will also spread through network shares. The e-mails entice users with subject lines such as: 1. The Best Videoclip Ever 2. School girl fantasies gone bad 3. A Great Video * The worm will attempt to disable most anti-virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry. * The following file types will be overwritten by the virus on local drives: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP. * The worm will attempt to spread through network shares. * The worm may disguise itself as a WinZip file. However, the file extension (.zip) is not present. What is RIT doing to protect my computer? McAfee VirusScan 8.0i is freely available to all faculty, staff and students at http://www.rit.edu/its/services/security/ and detects the malware. McAfee VirusScan (with up-to-date virus definitions) will often protect against threats like the ones mentioned above. The ITS Brightmail/MySpam anti-spam service will block the incoming worm on ITS-supported mail servers. However, this will not protect home users or users of other mail servers. What can I do to protect myself? To protect yourself against malware that spreads through user interaction, remember the following: * Keep your Anti-Virus software updated with the most current patches and virus definitions. (Look for your McAfee, Norton, or other antivirus icon in the system tray.) * As always, exercise care when opening unexpected attachments or links. * This particular threat masquerades as a WinZip file by displaying the WinZip file icon without the WinZip extension. Display file extensions by going to the Folder Options control panel, selecting the View tab, and deselecting "Hide extensions for known file types." Be careful about opening WinZip files you have received since January 15. * Backup important user files before February 3rd. If you need assistance backing up files, contact your appropriate support staff. For more information: You can read more about this new threat at: http://www.us-cert.gov/current/current_activity.html#nyxemworm http://isc.sans.org/blackworm http://www.f-secure.com/v-descs/nyxem_e.shtml http://www.pcworld.com/news/article/0,aid,124449,00.asp For information on this and other threats visit http://security.rit.edu <http://security.rit.edu/> or contact: Jim Moore, CISSP, IAM Information Security Officer Rochester Institute of Technology 13 Lomb Memorial Drive Rochester, NY 14623-5603 (585) 475-5406 (office) (585) 475-7950 (fax) Ben Woelk Information Security Office Rochester Institute of Technology Ross Building, 10-A200 151 Lomb Memorial Drive Rochester, NY 14623 585-475-4122 fbwis () rit edu http://security.rit.edu
Current thread:
- FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3 James H Moore (Jan 30)
- <Possible follow-ups>
- Re: FW: RIT INFORMATION SECURITY ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs on Feb. 3 James H Moore (Jan 30)