New computer worm in the wild...

[azasadny]

Be careful and keep your anti-virus updated...

From SANS website:

http://isc.sans.org/diary.php?date=2006-01-24

Handler's Diary January 24th 2006


BlackWorm Summary
Published: 2006-01-24,
Last Updated: 2006-01-25 00:17:00 UTC by Johannes Ullrich (Version: 1)

About BlackWorm

Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm
Naming
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

Snort Signatures

Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see bleedingsnort.org.
This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)";content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";classtype:misc-activity; sid:1000376; rev:1This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)
alert tcp any any -> any 80 (msg:"Agentless HTTP request towww.microsoft.com (possible BlackWorm infection)"; dsize:92;content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";classtype:misc-activity; sid:1000377; rev:1


Credits

We would like to thank the members of the TISF BlackWorm task force for analysis and coordination.

The task force emerged from teh MWP/DA groups. This task force is now known as the TISF BlackWorm task force. It involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Links
Update: http://www.lurhq.com/blackworm.html
www.f-secure.com
http://blogs.securiteam.com
Symantec
Trend Micro

Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.

[Nathans_Dad]

I cannot figure out why people spend their time coming up with viruses and worms that gain them nothing and just spread misery amongst the computer using public...get a life!!

[widebody911]

Quote:

Originally posted by Nathans_Dad
I cannot figure out why people spend their time coming up with viruses and worms that gain them nothing and just spread misery amongst the computer using public...get a life!!

Actually, not all worms and viruses 'gain them nothing.'

There are two primary types of worm objectives. The first is the 'net equivalent of spray-painting your name on freeway overpasses - to gather as much notoriety and street cred in the hacker community as possible.

The second is more insidious. These actually install spam-generation engines, keyloggers and other malware. A good percentage of spam is generated on the home PC's of clueless DSL users. There are also millions of PCs infected with zombieware waiting to be awakened at a later date. These are the most worrisome worms, and also the quietest - they want to stay off the radar as long as possible.

Once the worm writer has built up street cred, he rents the worm to spammers and who knows who else.

[Nathans_Dad]

Well, it's still sad that we have to get friggin virus updates every few weeks just to be able to check our e-mail and not fear some hacker sitting in his basement with a box full of twinkies and a grudge against society...

[widebody911]

Quote:

Originally posted by Nathans_Dad
Well, it's still sad that we have to get friggin virus updates every few weeks just to be able to check our e-mail and not fear some hacker sitting in his basement with a box full of twinkies and a grudge against society...

Blame Microsoft for putting out such an intrinsically weak OS.

[id10t]

widebody911 has it spot on. Permament fixes available here for money outlay (hardware) or here free of charge and with Freedom

[kach22i]

Quote:

Originally posted by id10t
widebody911 has it spot on. Permament fixes available here for money outlay (hardware) or here free of charge and with Freedom

Quote:

Debian is a free operating system (OS) for your computer. An operating system is the set of basic programs and utilities that make your computer run. Debian uses the Linux kernel (the core of an operating system), but most of the basic OS tools come from the GNU project; hence the name GNU/Linux.

The guy down the hall had a Linux operating system for a while - it got all messed up by a worm or virus, he lost everything. Nothing is bullit proof, he is back on microsoft again.

[widebody911]

Quote:

Originally posted by kach22i
The guy down the hall had a Linux operating system for a while - it got all messed up by a worm or virus, he lost everything. Nothing is bullit proof, he is back on microsoft again.

Dollars to donuts sez it was pilot error.

[kach22i]

Quote:

Originally posted by widebody911
Dollars to donuts sez it was pilot error.

Naw, he was in artillery in Vietnam - his head rings all the time - really sad.

I suspect it had something to do with a really fast Internet connection - just allows you to get into trouble quicker.

[techweenie]

Quote:

Originally posted by kach22i
The guy down the hall had a Linux operating system for a while - it got all messed up by a worm or virus, he lost everything. Nothing is bullit proof, he is back on microsoft again.

Very unlikely. There are almost no successful Linux viruses.

A hard drive developing a bad sector could produce an effect a user could potentially confuse with a virus.

But your friend down the hall went from a very safe OS to the most vulnerable in the world.

I've never understood why people put up with Windows, an operating system with all the security of swiss cheese.

[kach22i]

PC-Cillin Trend Mirco

I've had since 2000 the anti-virus program PC-Cillin Trend Mirco.

I'm about to upgrade to PC-cillin Internet Security 2006 - MULTI USER RENEWAL as I've been told over the phone that the older versions (200 and 2002) are no longer supported/upgradable. For my three networked computers $40.

Problem I had two years ago is that it messed up or I messed up the "REGISTERY" on one of my computers, and had to get it fixed.

I wish to avoid registery problems this time around. Besides backing everything up, what precautions should I take...........and how do I back up my registery ?

Any other anti-virus suggestions are welcomed, not married to this company.

[MichiganMat]

Kach-

I believe you're looking for "regedit" to perform registry backups. If you don't want problems with your reg, don't use the machine. Its happened to the best of us.

[kach22i]

Quote:

Originally posted by MichiganMat
I believe you're looking for "regedit" to perform registry backups.

What is regedit , how do I find it, how do I use it?

I did not know what a "registery" was when I had the problem, no one explained it to me, and I'm still fuzzy on it.

Is the registery on my "C" drive?

[widebody911]

(Kach - your inbox is full)

Here's the various PC stuff I use - had great luck with it, and it's free.

http://www.rennlight.com/prog/

The most important thing is to distrust everything. Don't click on that tempting attachment from your Aunt Edith unless you're absolutely sure you know what it is.

Install this stuff, or PayWay equivalents, disable file extension hiding, don't use IE for your browser, don't use Outlook for email, and you're 3/4-way there.

[MichiganMat]

The "registry" is the central library of information for all the apps, drivers, and etc on your system. When one app wants to find another to exchange information or launch it, it goes to the registry. When a device is added to the system and a driver needs to be loaded, it goes to the registry. When an app wants to save its position when it closes, it saves it to the registry.

In short, its the heart of the beast, and its all in one, easily corruptable, location. Mac uses a slightly different approach by using a registry only for devices and then giving individual prefs files to each application on the system. Much safer, simpler, etc etc etc.

[kach22i]

Quote:

Originally posted by widebody911
http://www.rennlight.com/prog/

Quote:

# CrapCleaner - general purpose PC cleanup
# AdAware - removes spyware
# AntiVirus - anti-virus program
# SpyBot - removes spyware
# WinMX - download music and stuff
# PiePatch - Patch for WinMX (required)
# ZoneAlarm - keeps other computers from getting into yours
# FireFox - web browser

I installed just last month:


# AdAware - removes spyware

&

# SpyBot - removes spyware

With good results.........................did speed things up for me.


MichiganMat, thanks for the description - best I've been exposed to yet.

Note: PC-Cillin 2006 can be supported by older operating system such a MS Windows 98 SE..............the other shoe in this story.

http://www.trendmicro.com/en/products/desktop/pc-cillin/evaluate/requirements.htm

[mikester]

Quote:

Originally posted by widebody911
Blame Microsoft for putting out such an intrinsically weak OS.

Dude, you're dead wrong and perpetuating something that doesn't help. Users need to be masters of their own computers (At home) and domain admins need to take control of their networks.

Okay, Here's the Disclaimer; I'm a 100% UNIX fanatic. I use Windows when I have to and that is only on my desktop at home or my laptop. But in my real work environment I choose UNIX for functionality.

Now here is where the true blame lies; it lies on the USer for thinking that if you leave all the doors open nobody will try to come in.

Windows is no intrisically weak; it's default settings are. That's the user's fault too. When you go home at night you lock your doors but on your PC you leave them all open and leave services you'd n ever use turned on an beaconing - "Here I AM!"

People need to either learn to configure their computers or pay someone to do it for them or put a firewall on their network.

My philosophy is "default deny." I investigate my network to see which ports/protocols I need to operate and then I close everything else down by turning it off at the server, blocking it with a firewall software at the server and access-listing it out of my network on the routers and firewalls.

Granted, I'm a pro - but I don't blame Microsoft because they aren't the only ones with the problem. Try doing a bare bones install of Redhat and see how many services you said *NOT* to install get installed and turned on anyway. Solaris is the same way, It's this default "plug-and-play" mentality people NEED to buy a product that is the cause - it's the USERS.

Just once, any machine out there run Nmap against it - MAC, UNIX, Windows just check. You'll see how many extra services are on that machine listening.

People are lazy and that's why Virii on Windows are so prevalent - the users wanted an OS that read their minds...making something that integrated though means it will be exposed to unintended purposes.

Default Deny should be the rule.

[kach22i]

Blackworm-Day: Feb 3

Has anyone been hit with the Blackworm today?

How would you know? From what I read it would overwrite "text messages " and "zip" files.

Update:
http://www.lurhq.com/blackworm.html

I can't seem to find it here:
http://www.trendmicro.com/vinfo/default.asp?advis=more&sort=date&order=desc

I'm not sure what "malware" verses "spyware" is.

Mircosoft is no longer supporting the old operating system "Windows 98 SE", patches and downloads wiill no longer be updated as last month. Does anyone know if there is a thrid party vendor still doing support for Windows 98 SE?

I have updated to Trend Micro's PC-Cillin 2006, have "Spybot" and AD-Aware".......................am I in good shape for now?

I don't want to load too much stuff on my computer, I've read that some of these programs can conflict with each other.

Cheers all.

[nostatic]

os x

if ms ships their os with "weak" settings, then it is MS's fault. But the os is pretty flawed too...

[widebody911]

Quote:

Originally posted by mikester
Windows is no intrisically weak; it's default settings are.

That's like saying a stock 1950 VW bug is not intrinsically slow, it's because the user hasn't installed a 3L turbo engine in it.

That's the user's fault too. When you go home at night you lock your doors but on your PC you leave them all open and leave services you'd n ever use turned on an beaconing - "Here I AM!"

Back to the 'intriniscally' bit. Window's default model is 'leave every port open and every service running, and it's up to the user to figure it out before they get r00ted'. The average user wouldn't know a 'service' or a 'port' if you dropped it on their toe, in much the same way that an infant wouldn't know to close and lock the doors in the house.

People need to either learn to configure their computers or pay someone to do it for them or put a firewall on their network.

Again, most PC owners are IT infants. Your expectation of a new PC user being able to secure her machine is about as realistic as that of a new car owner being able to rebuild her transmission.

I investigate my network to see which ports/protocols I need to operate and then I close everything else down by turning it off at the server, blocking it with a firewall software at the server and access-listing it out of my network on the routers and firewalls.

That's great, but I'm guessing you didn't just bring home your first computer from the mall last night, sitting there wondering why the cupholder won't close now.

Granted, I'm a pro - but I don't blame Microsoft because they aren't the only ones with the problem. Try doing a bare bones install of Redhat and see how many services you said *NOT* to install get installed and turned on anyway.

I can't count the number of media-level installs of RedHat I've done. The only way you're going to get into a virgin box is via ssh or on the console. xinetd, telnetd, rshd and vsftpf/wuftpd, etc won't get installed unless you specifically asked for them to, and then chkconfig'd them on.

Solaris is the same way,

They've changed a lot of that with Solaris 10

Back to the windows weaknesses: there are fundamental flaws in both the structure of the OS and the implementation philosophies that have led to the mess we have today. Apart from having every frickin' port and service turned on, there are so many holes in the service daemons and the end-user apps that once something does come port sniffing, it's all over. It's not so much that the doors are open, but all of the walls of the house are set up to fall like dominoes.

To their credit, MS is finally getting around to fixing some of them, but it's too little, too late, and too slow.