Thread: New computer worm in the wild...
View Single Post
azasadny azasadny is online now
19 years and 17k posts...
 
azasadny's Avatar
 
Join Date: Jul 2002
Location: Dearborn, MI (Southeast Michigan)
Posts: 17,444
Garage
New computer worm in the wild...
Be careful and keep your anti-virus updated...

From SANS website:

http://isc.sans.org/diary.php?date=2006-01-24

Handler's Diary January 24th 2006


BlackWorm Summary
Published: 2006-01-24,
Last Updated: 2006-01-25 00:17:00 UTC by Johannes Ullrich (Version: 1)

About BlackWorm

Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.

The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

We will try to post more detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.

The first thing you should do is to update your anti virus signatures.

This page will be updated as new information becomes available. Please see the end of the page for references to other sites. Use only this url to link to this page: http://isc.sans.org/blackworm
Naming
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. Update: we have been informed that the CME number will be 'CME-24'. cme.mitre.org should shortly list this number.

How would I get infected?
The worm spreads via e-mail attachments or file shares. Once a system in your network is infected, it will try to infect all shared file systems it has access to. You may see a new "zip file" icon on your desktop.

What will BlackWorm do to my system?
It will disable most anti virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.

Removal
Anti virus vendors offer removal tools. Microsoft provides detailed instructions for manual removal. However, there are two important reasons to rebuild "from scratch":

BlackWorm uses the same tricks to install itself as other viruses/worms. It may not be the only one on your system. Antivirus will not detect all viruses, and the removal tool will only remove this specific worm.
BlackWorm will allow remote access to your system, and additional malware may have been installed via this backdoor.

Snort Signatures

Joe Stewart (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
(for up to date rules, see bleedingsnort.org.
This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
alert tcp any any -> any 80 (msg:"webstats.web.rcn.net count.cgi request without referrer (possible BlackWorm infection)";content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";classtype:misc-activity; sid:1000376; rev:1This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)
alert tcp any any -> any 80 (msg:"Agentless HTTP request towww.microsoft.com (possible BlackWorm infection)"; dsize:92;content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|Connection|3a20|Keep-Alive|0d0a|Cache-Control|3a20|no-cache|0d0a0d0a|";classtype:misc-activity; sid:1000377; rev:1


Credits

We would like to thank the members of the TISF BlackWorm task force for analysis and coordination.

The task force emerged from teh MWP/DA groups. This task force is now known as the TISF BlackWorm task force. It involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.

Links
Update: http://www.lurhq.com/blackworm.html
www.f-secure.com
http://blogs.securiteam.com
Symantec
Trend Micro

Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.
__________________
Art Zasadny
1974 Porsche 911 Targa "Helga" (Sold, back home in Germany)
Learning the bass guitar
Driving Ford company cars now...
www.ford.com
Old 01-25-2006, 10:41 AM
  Pelican Parts Catalog | Tech Articles | Promos & Specials    Reply With Quote #1 (permalink)