« Tehran pays $5 billion for Westinghouse Nuclear | Main | Koufax 2005: Open thread »

CME-24 (aka BlackWorm Hostile Payload Scheduled to Activate Feb 3)

black_bald.jpg
Yesterday "CME-24" was assigned to the BlackWorm. Over the last week, the Blackworm has infected more then 700,000 systems, according to a counter web site used by the worm to track itself. The number this evening is near 2M. This worm is different from, and more serious then, other worms for a number of reasons. In particular, it will overwrite a user's files on the 3rd of each month. The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]'). That should get your attention. When did you last back up your Redmond-issue etch-a-sketch?
"There are two types of computer users in the world...those that have lost data, and those that are going to."
Bill Hassell, circa 1972

Mental retardation is not limited to the inner circle of the Bush Regime. Every company in the anti-viral industry has given this worm a handle, hence the need for a "Common Malware Enumeration" value. The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop. It will then disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will also add itself to the list of auto-start programs in your registry. However, before you call "help", call your Senator and explain that there is no choice concerning Choice. If you live in Pennsylvania you get the privilege of an extra call to Bob Casey, and the same text you use for Spector and Santorum is good enough for Casey.

Here's your AV contacts:

  • F-Secure: Nyxem.E
  • Grisoft: Worm/Generic.FX
  • H+BEDV: Worm/KillAV.GR
  • Kaspersky: Email-Worm.Win32.Nyxem.e (recommended for the quality of their exposition)
  • McAfee: W32/MyWife.d@MM
  • Norman: W32/Small.KI
  • Panda: W32/Tearec.A.worm
  • Sophos: W32/Nyxem-D
  • Symantec: W32.Blackmal.E@mm
  • TrendMicro: WORM_GREW.A
    • And then there is Microsoft.

    I'll provide updates if there is any interest. If the worm's author had any sense s/he'd have made the payload active around 1 April, and catch lotsa tax returns in prep while looking like a weenie joke. In the network operational community we're catching the infected boxen that report to the known tick boxes and sending the infected addrs lists back to the ISPs (grouped by the ISP's ASN), in the belief that the ISPs (and ASPs and corporate operators) will do the right thing. Ha!

    I was on the phone for three-quarters of an hour today taking a call from a reporter from the WSJ and only about 60 seconds was on CME-24. I'm partial to the Blackadder series, hence the slightly associative image.

    Posted by EBW on January 25, 2006 08:49 PM |

    TrackBack

    TrackBack URL for this entry:
    http://wampum.wabanaki.net/cgi-bin/mt/mt-tb.cgi/1982

    we're using {mt v4.x || wp v2.x || drupal v6.x}, {mysql v 5.x || postgresql v8.x}, perl v5.8.8, php v5.2.5, python2.5.2 and apache v2.x, all running on freebsd-releng_7, on one of four ixsystems, housed in the usawebhost colo space in portland maine. everything is minded by ebw. all work by mb williams and eric brunner-williams are © wampum.