Thursday, February 02, 2006

Are You Protected?


by LURHQ Threat Intelligence Group


Release Date
January 24, 2006

The email worm known as BlackWorm/Nyxem/Blackmal/Blueworm/Grew is scheduled to delete (actually overwriting with a small text message) certain file types on Feb 3, 2006.

We have been tracking the worldwide infections of this worm by means of a web stats counter the worm reports infections to. Currently it is at 679,000, but has tapered off in the last day or so. Even though this seems like a large number, as email viruses go, it is not a major threat in terms of email volume. The threat posed by this worm is the overwriting of files which is scheduled to occur on February 3, 2006. The file types in question are DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

Update: January 26, 2006 - Additional analysis has shown the actual infection count to be closer to 300,000 worldwide.

More information about the functions performed by this worm can be found at:


At this time we have seen almost no infections across our customer base using our IDS platform and these signatures. Networks which utilize up-to-date desktop antivirus on all machines should experience no problems, however the worm does attempt to disable AV and security software, so advising users to test their AV may also be in order. If the AV refuses to run, it may be an indication of infection by this or another worm.

It is important to note that although the worm enters a network as an email attachment, once a machine is infected, it will attempt to copy itself to open MS network C or Admin shares as WINZIP_TMP.exe, so machines without email access could still be affected. If you have any of these shares open on your network, searching for this file name on the shares is a good way to tell if anyone has been infected.


posted by David at 2:53 PM :: Permalink ::

Comments on "Are You Protected?"


post a comment