Urgent: Blackworm To Blow Up on Friday (February 3, 2006) 
- ==========FOREWARNEDISFOREARMEDBy Taang Zomi
"This risk may turn out to be nothing and whatever happens, the Internet is NOT going to die ... However effective or ineffective this may be, we urge users to update their anti-virus [signatures] as soon as possible and scan their computers and/or networks," Evron said in a call-to-arms message posted on the SecuriTeam site.
In view of the fact that many of us have received a lot of email messages infected by the same kind of viruses mentioned below, it is imperative that we read the warning and follow the instructions, so that we can escape the breakout on Friday, February 3, 2006. Therefore I hereby forward the following urgent message.----- Original Message -----To: taangzomi@...Sent: Tuesday, January 31, 2006 12:01 PMSubject: Security Watch: Blackworm To Blow Up on FridayI N T H I S I S S U E
Welcome to the PCMag.com Security Watch Newsletter. Every week we bring you an overview of the current viruses, worms, and other threats and the information you need to combat them. The big news this week is Blackworm, a threat known by many other names, including Kapser.A, Blackmal.F, Grew.A, and Nyxem.E. This Friday it is scheduled to damage the systems which it has infected. We describe the threat itself. We describe how it is spreading across the world and when the various anti-virus companies first responded to it. What is Google blocking the Chinese from seeing? For more on these threats, vulnerabilities and other issues, visit the Watch.=====
Home > News and Analysis > Special Reports > Security Watch > SW Newsletter > Blackworm Blows Up On Friday
Security Watch: Blackworm Blows Up On Friday
Affects: Windows XP/XP SP2/2000/2003/NT/ME/98/95
CA: Win32/Blackmal.F ;
Fortinet: W32/Grew.A!wm ;
TrendMicro: WORM_GREW.A CME #24
Thanks to F-Secure for their description of the worm, which we use below.
What it does: Blackworm, as you can see from the Aliases entry above, has many names, including one not listed here: Kama Sutra (see why not below). Blackworm has generated a great deal of concern in advance of an event scheduled in the worm itself for this Friday, February 3, on which the malware will turn on its host system, committing widespread damage to data and program files throughout the system.
For the most part, there's nothing all that special about this worm, other than the destructive behavior, the time bomb, and the fact that it uses an HTTP-based counter to keep track of how many copies of itself are up and running on the Internet. Estimates from the low hundreds of thousands to the millions have been bandied about for the number of affected systems. Some have suggested (in fact, I'm one of them) that the counter is not necessarily reliable, and, in fact, may have been tampered with in order to exaggerate the extent of the threat. Those loudest about raising concerns point out that there is good reason to believe that the infection has spread at minimum to hundreds of thousands of systems and that the payload is unusually dangerous.
I don't mean to say that I know it won't be a big deal; I was just questioning the certainty of projections that it would be. Prudence surely dictates that users take reasonable precautions, which are easy enough: Because of the elevated publicity and time allowed before the payload goes off, anti-virus companies have been busy on this one. See who moved fastest on it in the Blackworm Response Time section.
Blackworm spreads conventionally through e-mail attachments, peer-to-peer networks and network shares. The e-mail in which the worm arrives attachment to uses one of these as a subject line:The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fuckin Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
Fw: Funny :)
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photosThe body of the message will be one of the following:Note: forwarded message attached.
Hot XXX Yahoo Groups
F*ckin Kama Sutra pics
ready to be F*CKED ;)
forwarded message attached.
VIDEOS! FREE! (US$ 0,00)
Please see the file.
----- forwarded message -----
i just any one see my photos. It's Free :)
how are you?
i send the details.
OK ?Usually the worm attaches itself as an executable with one of the following names:007.pif
DSC-00465.pIfSometimes the attachment is MIME-encoded, with one of the following names:Video_part.mim
Word_Document.uuThe file name, once unencoded, is one of these:New Video,zip .sCr
Word.zip .sCRWhen you execute the attachment, which is about 95K large, it opens the WinZip program, if available on the system, as a decoy. F-Secure reports that it blocked all keyboard and mouse input, leaving Ctrl-Alt-Del as the only option for the user.
While you are locked out of the system, the worm copies itself to several locations:%Windows%\rundll16.exe %System%\scanregw.exe %System%\Update.exe %System%\Winzip.exeAnd it creates a registry value to start itself every time Windows starts:[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "%System%\scanregw.exe /scan"
In order to spread to network and peer-to-peer shares, the worm enumerates all such shares as well as special Windows folders that could point to commonly-used network areas. For each share, the worm lists files in it, takes one of the file names and adds ".EXE" to it, then saves a copy of itself using that name on the share. If no files are on the share, it uses one of these names:New WinZip File.exe Zipped Files.exe movies.exeA separate network spreading routine tries to copy the worm to the following specific share and file names:\Admin$\WINZIP_TMP.exe \c$\WINZIP_TMP.exe \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exeand, at the same time, deletes this file:\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.lnkThus attempting to trick the user into running it when he or she wants to run WinZip from the Start menu.
Before spreading the worm checks to see if a remote computer has any of the following files and folders and deletes all files from the folder:\C$\Program Files\Norton AntiVirus \C$\Program Files\Common Files\symantec shared \C$\Program Files\Symantec\LiveUpdate \C$\Program Files\McAfee.com\VSO \C$\Program Files\McAfee.com\Agent \C$\Program Files\McAfee.com\shared \C$\Program Files\Trend Micro\PC-cillin 2002 \C$\Program Files\Trend Micro\PC-cillin 2003 \C$\Program Files\Trend Micro\Internet Security \C$\Program Files\NavNT \C$\Program Files\Panda Software\Panda Antivirus Platinum \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro \C$\Program Files\Panda Software\Panda Antivirus 6.0 \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ AntivirusFinally, the worm creates a scheduled task to run itself on the remote computer on the 59th minute of the current hour.
On the third day of the month, the worm's payload, the UPDATE.EXE program, is run. The publicity has focused on February 3, but this would work on any subsequent 3rd of the month.
The payload replaces the content of all files with the following extensions on all drives with the text string "DATA Error [47 0F 94 93 F4 K5]":*.doc *.xls *.mdb *.mde *.ppt *.pps *.zip *.rar *.pdf *.psd *.dmpIn order to impede security software, the payload attempts to remove the following startup key values from the Run and RunServices keys:NPROTECT ccApp ScriptBlocking MCUpdateExe VirusScan Online MCAgentExe VSOCheckTask McRegWiz CleanUp MPFExe MSKAGENTEXE MSKDetectorExe McVsRte PCClient.exe PCCIOMON.exe pccguide.exe Pop3trap.exe PccPfw PCCIOMON.exe tmproxy McAfeeVirusScanService NAV Agent PCCClient.exe SSDPSRV rtvscn95 defwatch vptray ScanInicio APVXDWIN KAVPersonal50 kaspersky TM Outbreak Agent AVG7_Run AVG_CC Avgserv9.exe AVGW AVG7_CC AVG7_EMC Vet Alert VetTray OfficeScanNT Monitor avast! DownloadAccelerator BearShareIt also attempts to delete files from these subfolders:\DAP\*.dll \BearShare\*.dll \Symantec\LiveUpdate\*.* \Symantec\Common Files\Symantec Shared\*.* \Norton AntiVirus\*.exe \Alwil Software\Avast4\*.exe \McAfee.com\VSO\*.exe \McAfee.com\Agent\*.* \McAfee.com\shared\*.* \Trend Micro\PC-cillin 2002\*.exe \Trend Micro\PC-cillin 2003\*.exe \Trend Micro\Internet Security\*.exe \NavNT\*.exe \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe \Grisoft\AVG7\*.dll \TREND MICRO\OfficeScan\*.dll \Trend Micro\OfficeScan Client\*.exe \LimeWire\LimeWire 4.2.6\LimeWire.jar \Morpheus\*.dllIt also scans the registry to look for other file locations related to the following software and deletes those files as well:VirusProtect6 Norton AntiVirus Kaspersky Anti-Virus Personal Iface.exe Panda Antivirus 6.0 PlatinumAnd it closes application windows that have these strings as part of their titles:SYMANTEC SCAN KASPERSKY VIRUS MCAFEE TREND MICRO NORTON REMOVAL FIX
The worm launches a web browser, with a specific URL located on an ISP client system, the exact location of which we will not specify. The ISP has kept the address functional for research purposes, but says that the total number of hits is far in excess of the number of unique IP addresses generating them. According to an F-Secure report dated January 27, the number of unique IPs is 262,000, which is still fairly large.
How to avoid it: Run anti-virus software and keep it up to date. Run period static scans of the system in order to detect attacks that came in before you had signatures for them. Don't open attachments unless you know their source and know what their contents are in advance.
How to remove it: Many anti-virus companies have created free disinfection utilities for this attack. See the pages linked to in the Aliases list at the top of this page for further information. For instance, the F-Secure utility may be found at http://www.f-secure.com/tools/f-force.zip
"The utility is distributed only in a ZIP archive that contains the following files:
- f-force.exe - the main executable file
- eult.rtf - End User License Terms document
- readme.rtf - Readme file in RTF format
- readme.txt - Readme file in ASCII format