New mass mailer spreading (Blackmal/Grew/Nyxem)

Published: 2006-01-18
Last Updated: 2006-01-18 03:15:12 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX - which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR
M35J0``,````$````__\``+@`````````0```````````````````````````
M````````````````````H`````X?N@X`M`G-(;@!3,TA5&AI<R!P<F]G<F%M

You can also see a typical "insert a lot of spaces before the real extension" trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D - go figure!).
Seems like we'll have to wait more for CME.
Keywords:
0 comment(s)

Comments


Diary Archives