Results 1 to 6 of 6

Thread: Acch!: BlackWorm - Nasty - ISC News!

  1. #1
    Senior Member genXer's Avatar
    Join Date
    Jun 2005

    Acch!: BlackWorm - Nasty - ISC News!

    Hello all-

    Trying to catch up on some news and I found this on ISC - please read at your earliest convenience:

    Link: http://isc.sans.org/diary.php?storyid=1067

    In case the linkie no workie - here's a quick synopsis from ISC:
    About BlackWorm

    Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

    At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.

    The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

    We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

    The first thing you should do is to update your anti virus signatures.

    This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm
    Also at the end of the article, ISC offers some links for more information:

    Update: http://www.lurhq.com/blackworm.html
    Trend Micro
    Excellent Stats From LURHQ: http://www.lurhq.com/blackworm-stats.html

    Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.
    \"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.

  2. #2
    Senior Member
    Join Date
    Sep 2003
    they were talking about this on bugtraq yesterday. I guess the virus writter or some other unkknown person found out the ip of the counter website and was spamming it with the sam ips over and over to make it seem like the virus was doing more than it really was.


    chown -r us ./bases

  3. #3
    Gonzo District BOFH westin's Avatar
    Join Date
    Jan 2006
    SW MO
    I have been looking over grisofts website, www.grisoft.com, for any info on this one... but to no avail. Does anyone know if AVG will catch this?
    \"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"


  4. #4
    Senior Member Deeboe's Avatar
    Join Date
    Nov 2005
    I think this is the same thing. Try here: http://cme.mitre.org/data/list.html#24

    ...or allow me to quote:
    Authentium: W32/Kapser.A@mm
    AVIRA: Worm/KillAV.GR
    CA: Win32/Blackmal.F
    Fortinet: W32/Grew.A!wm
    F-Secure: Nyxem.E
    Grisoft: Worm/Generic.FX
    H+BEDV: Worm/KillAV.GR
    Kaspersky: Email-Worm.Win32.Nyxem.e
    McAfee: W32/MyWife.d@MM
    Norman: W32/Small.KI
    Panda: W32/Tearec.A.worm
    Sophos: W32/Nyxem-D
    Symantec: W32.Blackmal.E@mm
    TrendMicro: WORM_GREW.A
    BTW- Each of those has a link to the AVG website, except for Grisoft...

    If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
    - Sun Tzu, The Art of War


  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Well... You have no idea how sad this makes me to have to say....

    I have to admit I have been fighting this little POS on my network since Thursday... It's sneaky... Oh, and in case none of you are aware... Users are idiots... If I get time I will do a write-up on it and the mistakes/lessons I learned about my network if anyone is interested...

    One thing for others I have noticed.... It has multiple attack vectors.. But, the children _seem_ to only act in the manner they were activated... I could be very wrong... But, it's my impression after dealing with all of it's attack vectors for the last frigging week!!!!
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    This is a classic quote...thought we all could use...

    Specially you TS

    "Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance," he said. ( Alain Sergile,a security expert at Internet Security Systems (ISS) in Atlanta.)
    Taken from here


    How people treat you is their karma- how you react is yours-Wayne Dyer

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts