About BlackWorm
Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').
We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.
The first thing you should do is to update your anti virus signatures.
This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page:
http://isc.sans.org/blackworm
Reply With Quote