-
January 27th, 2006, 12:51 AM
#1
Acch!: BlackWorm - Nasty - ISC News!
Hello all-
Trying to catch up on some news and I found this on ISC - please read at your earliest convenience:
Link: http://isc.sans.org/diary.php?storyid=1067
In case the linkie no workie - here's a quick synopsis from ISC:
About BlackWorm
Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').
We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.
The first thing you should do is to update your anti virus signatures.
This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm
Also at the end of the article, ISC offers some links for more information:
Links
Update: http://www.lurhq.com/blackworm.html
www.f-secure.com
http://blogs.securiteam.com
Symantec
Trend Micro
Update:
Excellent Stats From LURHQ: http://www.lurhq.com/blackworm-stats.html
Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.
\"We\'re the middle children of history.... no purpose or place. We have no Great War, no Great Depression. Our great war is a spiritual war. Our great depression is our lives. We\'ve all been raised by television to believe that one day we\'ll all be millionaires and movie gods and rock stars -- but we won\'t. And we\'re learning slowly that fact. And we\'re very, very pissed off.\" - Tyler (Brad Pitt) Fight Club.
-
January 27th, 2006, 04:20 PM
#2
they were talking about this on bugtraq yesterday. I guess the virus writter or some other unkknown person found out the ip of the counter website and was spamming it with the sam ips over and over to make it seem like the virus was doing more than it really was.
http://sunbeltblog.blogspot.com/2006...bly-d-day.html
http://sunbeltblog.blogspot.com/2006...o-reality.html
-
February 1st, 2006, 09:49 PM
#3
I have been looking over grisofts website, www.grisoft.com, for any info on this one... but to no avail. Does anyone know if AVG will catch this?
\"Those of us that had been up all night were in no mood for coffee and donuts, we wanted strong drink.\"
-HST
-
February 1st, 2006, 10:13 PM
#4
I think this is the same thing. Try here: http://cme.mitre.org/data/list.html#24
...or allow me to quote:
Authentium: W32/Kapser.A@mm
AVIRA: Worm/KillAV.GR
CA: Win32/Blackmal.F
Fortinet: W32/Grew.A!wm
F-Secure: Nyxem.E
Grisoft: Worm/Generic.FX
H+BEDV: Worm/KillAV.GR
Kaspersky: Email-Worm.Win32.Nyxem.e
McAfee: W32/MyWife.d@MM
Norman: W32/Small.KI
Panda: W32/Tearec.A.worm
Sophos: W32/Nyxem-D
Symantec: W32.Blackmal.E@mm
TrendMicro: WORM_GREW.A
BTW- Each of those has a link to the AVG website, except for Grisoft...
-Deeboe
If you know the enemy and know yourself, you need not fear the result of a hundred battles. If you know yourself but not the enemy, for every victory gained you will also suffer a defeat. If you know neither the enemy nor yourself, you will succumb in every battle.
- Sun Tzu, The Art of War
http://tazforum.**********.com/
-
February 1st, 2006, 10:14 PM
#5
Well... You have no idea how sad this makes me to have to say....
I have to admit I have been fighting this little POS on my network since Thursday... It's sneaky... Oh, and in case none of you are aware... Users are idiots... If I get time I will do a write-up on it and the mistakes/lessons I learned about my network if anyone is interested...
One thing for others I have noticed.... It has multiple attack vectors.. But, the children _seem_ to only act in the manner they were activated... I could be very wrong... But, it's my impression after dealing with all of it's attack vectors for the last frigging week!!!!
Don\'t SYN us.... We\'ll SYN you.....
\"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides
-
February 2nd, 2006, 04:27 PM
#6
This is a classic quote...thought we all could use...
Specially you TS
"Unfortunately, there is no way to patch user ignorance, and the way this virus propagates is through user ignorance," he said. ( Alain Sergile,a security expert at Internet Security Systems (ISS) in Atlanta.)
Taken from here
http://edition.cnn.com/2006/TECH/int...orm/index.html
MLF
How people treat you is their karma- how you react is yours-Wayne Dyer
Posting Permissions
- You may not post new threads
- You may not post replies
- You may not post attachments
- You may not edit your posts
-
Forum Rules
|
|