Well, now that I have your full attention, please read the following carefully.
These stories represent the tip of the iceberg. There is a (nother) worm crawling through the internets, and it has a very malicious old skool payload.
Quote:
As the clock continues to tick toward the anticipated destruction of Microsoft Office documents, Adobe files, and backup archives, security companies on Thursday posted their latest research and advice on the Kama Sutra worm.
Also known as Blackworm, Blackmal, MyWife, and Nyxem, the worm has been active for about three weeks. It's a throw-back, designed not to simply hijack a PC or steal confidential information, but to destroy data. Starting Friday, Feb. 3, it will begin corrupting 11 different file formats by overwriting those documents and files with a mindless string of text.
|
Symantec.com is one trusted place where a
removal tool can be found. At home I'm 0 for 3 with one to go (whew!). Symantec has
a very thorough description of the threat. I was moved to action. I **STRONGLY URGE YOU** to do likewise.
Quote:
# Deletes the following files:
* %ProgramFiles%\DAP\*.dll
* %ProgramFiles%\BearShare\*.dll
* %ProgramFiles%\Symantec\LiveUpdate\*.*
* %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
* %ProgramFiles%\Norton AntiVirus\*.exe
* %ProgramFiles%\Alwil Software\Avast4\*.exe
* %ProgramFiles%\McAfee.com\VSO\*.exe
* %ProgramFiles%\McAfee.com\Agent\*.*
* %ProgramFiles%\McAfee.com\shared\*.*
* %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
* %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
* %ProgramFiles%\Trend Micro\Internet Security\*.exe
* %ProgramFiles%\NavNT\*.exe
* %ProgramFiles%\Morpheus\*.dll
* %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
* %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
* %ProgramFiles%\Grisoft\AVG7\*.dll
* %ProgramFiles%\TREND MICRO\OfficeScan\*.dll
* %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
* %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
Note: %ProgramFiles% is a variable that refers to the program files folder. By default, this is C:\Program Files.
...
# Gathers email addresses from files with the following extensions:
.htm
.dbx
.eml
.msg
.oft
.nws
.vcf
.mbx
.imh
.txt
.msf
The worm also gathers email addresses from files with one of the following strings in the full name :
* CONTENT.
* TEMPORARY
# Attempts to send itself as an email to the addresses it gathers using its own SMTP engine. The email will have the following characteristics:
Subject:
One of the following:
* *Hot Movie*
* A Great Video
* Fw:
* Fw: DSC-00465.jpg
* Fw: Funny 
* Fw: Picturs
* Fw: Real show
* Fw: SeX.mpg
* Fw: Sexy
* Fwd: Crazy illegal Sex!
* Fwd: image.jpg
* Fwd: Photo
* give me a kiss
* Miss Lebanon 2006
* My photos
* Part 1 of 6 Video clipe
* Photos
* Re:
* School girl fantasies gone bad
...
When the worm is executed on the 3rd day of every month, it may overwrite files with the following extensions in all drives from A to Z:
* *.doc
* *.xls
* *.mdb
* *.mde
* *.ppt
* *.pps
* *.zip
* *.rar
* *.pdf
* *.psd
* *.dmp
Note: The files are overwritten with the following text:
DATA Error [47 0F 94 93 F4 F5]
|
02-02-2006, 07:55 PM
MyWife, Kama Sutra and Blackmail
Threaded Mode