Friday, January 27, 2006

Nyxem.e is a mass mailing worm, it sends the attachment, with filetype bhx(which actually is the worm). I was not surprised when a institute where I had studied was infected with the worm. (No anti-virus installed either) So the possibility of infection was very high. I won't be wondering if the worm spread to all their students' email and inturn their friends / contacts.

Some behavioral details

1)Coded in Microsoft Visual Basic, it uses remote shares to spread itself
2)Nasty payload: Deletes the file of the following filetype *.doc/*.xls/*.mdb/*.mde/*.ppt/*.pps/*.zip/*.rar/*.pdf/*.psd/*.dmp
3)It poses to be a winzip file (which is more threatening)
4)It escapes from anti-virus vendors as it's kinda mydoom's design by avoiding sending the emails to their domains.
5)It also kills the following services(anti-viruses)

So even if the institute I mentioned had a Anti-virus, it might have only one of the leading av's and this makes the installation of anti-viruses futile.

I was particularly interested in this one because it's payload was to delete almost all essential files on the harddisk on Feb 3 or 3rd day of any month.This is aided by the running of a exe called update.exe is loaded into memory.(update.exe is created by the worm)I haven't fully analysed the worm.

I have just outlined some of the key features which make it deadly.


No comments: