@@ Nasty computer worm devours files today (February 3, 2006) @@

PC Magazine
February 3, 2006

Microsoft Joins 'Blackworm' D-Day Warning Chorus

By Ryan Naraine
ryan_naraine[AT]ziffdavis.com

An email predator masquerading as porn is worming its way around the world and today
is expected to leave empty hard drives in its wake.

The virus, known as "CME-24", "Kama Sutra" and several other names has been spreading
since January 16 -- but today is the day it is programmed to erase files.

This worm has just one mission -- to destroy.

The worm's other names include "MyWife.E" and "Blackworm".

The worm is also known as "Nyxem.E" and "Grew.A". It spreads in email attachments
with subject lines such as "hot movie", "a great video" or "crazy illegal sex".

The email doesn't have to be opened to infect a system -- it spreads by itself
through a home or business computer network, email lists or even old-fashioned floppy
disks.

Even corporate firewalls can be breached by employees who connect infected laptops to
the company network.

About 680,000 systems around the world have been infected so far, with Asia believed
to be the worm's main target.

Symptoms of infection include keyboard and mouse freezing after an email is selected.

WORM INVASTION

- Sometime today, the "Kama Sutra worm" will write the text string 'DATA Error [47 OF
94 93 F4 F5]' over documents from Microsoft Office and Adobe as well as some others
rendering them useless.

- This is set to happen on the third of each month, according to your PC's clock.

- This worm has been given a 'moderate' threat rating by Microsoft.

- Disinfection requires reinstalling an anti-virus program updated to protect against
this worm, then scanning to make sure it has been purged.

- Other names: "Blackworm", "Blackmal MyWife", "Nyxem"

STEPS TO PROTECT YOURSELF

- Use anti-virus software and keep its definitions up-to-date

- Do not open email attachments (that's how the worm is packaged and distributed).

- Run windows in User, not Administrator, mode.

Microsoft's anti-malware engineering team has joined the chorus of calls for computer
users to be on high alert for an email worm that uses social engineering tactics to
deliver a destructive payload.

The company issued an official security advisory
(http://www.microsoft.com/technet/security/advisory/904420.mspx) to back up a warning
from its anti-malware researchers that the worm?known as Kama Sutra, Blackworm,
MyWife.E, Nyxem.E?is programmed to "permanently corrupt a number of common document
format files on the third day of every month.

With a D-Day of February 3, 2006
(http://www.eweek.com/article2/0,1895,1915070,00.asp) fast approaching, Microsoft is
beating the drum for PC users to update anti-virus signatures and be on high alert
for suspicious e-mail attachments.

Volunteer security researches have already notified ISPs about possible customer
infections and the LURHQ Threat Intelligence Group has released Snort signatures to
help enterprises detect infected users in a net-space.

Finnish anti-virus vendor F-Secure has released a free disinfection tool
(http://www.f-secure.com/v-descs/nyxem_e.shtml) to help clean compromised computers
before the February 3 deadline.

F-Secure chief incident officer Mikko Hypponen said the first reports of destruction
has already started to filter in.
http://www.pcmag.com/article2/0,1895,1917638,00.asp


Microsoft Security
February 1, 2006

Microsoft Security Advisory (904420)
Win32/Mywife.E[AT]mm

Microsoft wants to make customers aware of the Mywife mass mailing malware variant
named "Win32/Mywife.E[AT]mm".

The mass mailing malware tries to entice users through social engineering efforts
into opening an attached file in an email message. If the recipient opens the file,
the malware sends itself to all the contacts that are contained in the system?s
address book. The malware may also spread over writeable network shares on systems
that have blank administrator passwords.

Customers using Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server
2003, or Windows Server 2003 Service Pack 1 may be at reduced risk from this malware;
if the account password is blank, the account is not valid as a network credential.
In an environment where you can guarantee physical security, you do not need to use
the account across the network, and you are using Windows XP or Windows Server 2003,
a blank password is better than a weak password. By default, blank passwords can only
be used locally in Windows XP and Windows Server 2003.

Customers who are using the most recent and updated antivirus software could be at a
reduced risk of infection from the "Win32/Mywife.E[AT]mm" malware.

Customers should verify this with their antivirus vendor. Antivirus vendors have
assigned different names to this malware but the Common Malware Enumeration (CME)
group has assigned it ID CME-24.

On systems that are infected by "Win32/Mywife[AT]E.mm", the malware is intended to
permanently corrupt a number of common document format files on the third day of
every month.

February 3, 2006 is the first time this malware is expected to permanently corrupt
the content of specific document format files. The malware also modifies or deletes
files and registry keys associated with certain computer security-related
applications. This prevents these applications from running when Windows starts. For
more information, see the Microsoft Virus Encyclopedia
(http://www.microsoft.com/security/encyclopedia/details.aspx?Name=Win32/Mywife.E@mm).

As with all currently known variants of the Mywife malware, this variant does not
make use of a security vulnerability, but is dependent on the user opening an
infected file attachment. The malware also attempts to scan the network looking for
systems it can connect to and infect. It does this in the context of the user. If it
fails to connect to one of these systems, it tries again by logging on with
"Administrator" as the user name together with a blank password.

Customers who believe that they are infected with the Mywife malware, or who are not
sure whether they are infected, should contact their antivirus vendor. Alternatively,
Windows Live Safety Center Beta (http://safety.live.com/) Web site provides the
ability to choose ?Protection Scan? to ensure that systems are free of infection.

Additionally, the Windows OneCare Live Beta (http://www.windowsonecare.com/), which
is available for English language systems, provides detection for and protection
against the Mywife malware and its known variants.

For more information about the Mywife malware, to help determine whether you have
been infected by the malware, and for instructions on how to repair your system if
you have been infected, see the Microsoft Virus Encyclopedia. For Microsoft Virus
Encyclopedia references, see the ?Overview? section. We continue to encourage
customers to use caution with unknown file attachments and to follow our Protect Your
PC guidance of enabling a firewall, getting software updates, and installing
antivirus software. Customers can learn more about these steps by visiting the
Protect Your PC Web site
(http://www.microsoft.com/athome/security/protect/windowsxpsp2/Default.mspx).

http://www.microsoft.com/technet/security/advisory/904420.mspx


.