Bernama.com
World January 27, 2006 17:45 PM
India: Computer Virus Attacks To Rise In 2006

CHENNAI, Jan 27 (Bernama) -- Computer virus attacks like "spy- phishing" are expected to be on the rise this year, making them a "predominant concern" for individual companies, said the Press Trust of India (PTI) Friday, quoting a report by a leading computer security concern.

The 2005 Annual Round-Up and 2006 Forecast by Trend Micro said, in 2005, the vast majority of threats were inspired by financial gains "rather than notoriety".

More targeted attacks focussed on "certain company and their users" or on a particular group with a "common connection".

According to the report, spy-phising, a new kind of attack witnessed last year dealt with "the de facto usage of blended threats" motivated by financial gains.

Attackers looked for other stealth methods and had found a more effective tool of them all called "rootkits".

Towards end of 2005, rootkits were being used as the ultimate weapon to assist cloaking "malware and grayware" activity.

Rootkits modify the operating system behaviour to hide certain processes, files, folders and registry entries.

"Botworms", a special type of "hybrid threat", have been fast spreading "primarily due to the fact that they have become open sources developments, built in a modular fashion".

The report said 2005 could be referred to as the "year of grayware", with 65 per cent of the top 15 threats (against software and hardware) accounting for nearly 11 million.

The Trend Micro report expected rootkits coupled with threats like "spear-phising" to continue this year and become a "primary concern" for individual companies.

However, "we expect to see detection numbers increase this year for new variants," the report added.

-- BERNAMA

KamaSutra Worm to Attack Feb 3
Techtree News Staff Email Print
Jan 31, 2006
http://www.techtree.com/techtree/jsp/article.jsp?article_id=70996&cat_id=582

The new computer worm, named Kama Sutra, is scheduled to attack infected systems Friday, 3 February. The worm, also known as Blackworm, Nyxem-D and W32.blackmail.e, is aimed at Windows-based computers and spreads by copying itself to shared network locations and mass emailing itself to email addresses on these systems.

Though potentially quite damaging to a system, large scale infection of the worm is not expected and the current over-reaction by many members of the anti-virus community is unwarranted, according to anti-virus company BitDefender.

The Kama Sutra worm is designed to overwrite all .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp files. It has gained the attention of the anti-virus community because of its ability to deceive Windows through phony digital signatures, and seems to have been created for the sole purpose of doing damage and not for commercial gain. It has also gained attention in both the general and technology press due to a unique Website that supposedly shows a running counter of infected computers, as well as its reliance on sexually suggestive emails which spread the virus.

Within the past week, a great deal of media attention has been given to the danger of this worm. While there is a potential of damage if a computer is infected, BitDefender, one of the first companies to offer a free tool for detecting and cleansing the virus from systems, believes that the worm is not as dangerous or widespread as has been reported and can easily be blocked with up-to-date anti-virus software.

Bogdan Dumitru, CTO, BitDefender, said, "Some members of the anti-virus community have initiated a wholesale panic around this threat, and we absolutely feel this is nothing but over-reaction. There is no doubt that this is an interesting virus due to the fact that we do not often see pure destructive viruses developed with no financial gain in mind anymore, and it has an interesting counter that shows how many systems are infected. But there is no reason to trust this site to be truthful. Without a suggestive name and a couple of neat designs, this worm is nothing more than a run-of-the-mill attack that anyone with anti-virus software will stop."

VIRUS ALERTS

Nyxem_e/Blackmal/GREW/MyWife/Kamasutra Worm

Original issue date: January 23, 2006
Updated on: February 01, 2006

It has been observed that a memory resident mass mailing worm called Nyxem and its variants are spreading in the wild to attack Microsoft Windows systems. The worm propagates by attaching a copy of itself to email messages that it sends to the target harvested address using its own SMTP engine. Attachments may be executable file or MIME file containing executable file and propagates via e-mail and network shares.

The worm has aliases such as W32.Blackmal.E@mm, W32/Kapser.A@mm, W32/MyWife.d@MM, Win32/Blackmal.F, WORM_GREW.A [Trend Micro], Win32/Blackmal.F [Computer Associates], Nyxem.e (F-secure)

The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.

Upon execution this worm attempts to:

Drop and open a .ZIP archive with the same name in the Windows system folder to hide its functionality.
Copies itself to %system% with the filenames: scanregw.exe, Winzip.exe , Update.exe,movies.exe, Zipped Files.exe
Also copies itself to %Windows% with filenames: Rundll16.exe, WinZip_Tmp.exe
Create the registry entry to enable its automatic execution at every system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry=scanregw.exe /scan

HKCU\Software\Microsoft\Windows\CurrentVersion\
Explorer \Advanced WebView

Hides files with both System and Read-only attributes by modifying the following registry entry:
HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\Advanced
ShowSuperHidden = "dword:00000000"

Modify registry values

HKCU\Control Panel\BMale
HKCU\Control Panel\DNS
Deletes autostart registry entries.

The emails sent by the worm uses some obscene subject lines, message content and attachments as given below:
Subject: (any of the following)

• ----- forwarded message -----
• *Hot Movie*
• A Great Video
• Arab sex DSC-00465.jpg
• eBook.pdf
• Fw: DSC-00465.jpg
• Fw: Funny :)
• Fw: Picturs
• Fw: Real show
• Fw: SeX.mpg
• Fw: Sexy
• Fwd: Crazy illegal Sex!
• Fwd: image.jpg
• Fwd: Photo
• give me a kiss
• Miss Lebanon 2006
• My photos
• Part 1 of 6 Video clip or clipe
• Photos
• School girl fantasies gone bad
• Re: Sex Video

Message body: (any of the following)

• forwarded message
• forwarded message attached.
• ****in Kama Sutra pics
• hello,
• Helloi attached the details.
• Hot XXX Yahoo Groups
• how are you?
• i just any one see my photos.
• i send the details.
• i send the file.
• It's Free :)
• Note: forwarded message attached. You Must View This Videoclip!
• Please see the file.
• ready to be ****ED ;)
• Thank you
• The Best Videoclip Ever
• the file i send the details
• VIDEOS! FREE! (US$ 0,00)
• What?

Attachment: (any of the following)

• 007.pif
• 3.92315089702606E02.UUE
• 392315089702606E-02,.scR
• 392315089702606E-02,UUE{spaces}.scR
• 677.pif
• Adults_9,zip.sCR
• ATT01.zip.sCR
• Attachments00.HQX
• Attachments001.BHX
• Attachments[001],B64.sCr
• Attachments[001].B64
• Clipe,zip.sCr
• document.pif
• DSC-00465.pIf
• eBook.PIF
• eBook.Uu
• image04.pif
• New Video,zip
• New_Document_file.pif
• Original Message.B64
• photo.pif
• Photos,zip.sCR
• School.pif
• SeX,zip.scR
• Sex.mim
• Video_part.mim
• WinZip,zip.scR
• WinZip.BHX
• WinZip.zip.sCR
• Word XP.zip.sCR
• Word.zip.sCR
• Word_Document.hqx
• Word_Document.uu

The worm harvests addresses from files found on the machine that have the extensions such as:

.HTM, .DBX, .EML, .MSG, .OFT, .NWS
Deletes the files related to anti-virus applications such as
%ProgramFiles%\Symantec\LiveUpdate\*.* ,
%ProgramFiles%\Norton AntiVirus\*.exe %ProgramFiles%\McAfee.com\shared\*.* ,
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
It attempts to spread to network shares with weak passwords using the name WINZIP_TMP.exe.
On Windows NT, 2000, XP, and Server 2003, it also creates a scheduled task using Windows Task Scheduler to execute the dropped copy on the 59th minute of every hour after it is dropped. It creates .JOB files in the %Windows%\Tasks folder to create a scheduled task.
This worm also modifies the DESKTOP.INI. The said modification enables this worm to execute the dropped file, TEMP.HTT every time a folder or a drive, including a floppy drive, is accessed. It then drops the two mentioned files, along with a copy of itself as WINZIP_TMP.EXE into every available folder or drive, also including floppy drives. The attributes of the said files are set to Hidden in an attempt to avoid easy detection.
The worm also contacts the " webstats.web.rcn.net " site, presumably to record a new system compromise.
Prevention and Suggested actions:

Update Anti Virus software regularly
Block emails with the subjects and attachments mentioned above at the email gateway level
Exercise caution while opening email attachments
Block executable and unknown file types at the email gateway
Backup all important data files
Apply appropriate security updates at OS and application level
Free Removal Tools:

http://www.microsoft.com/security/malwareremove/default.mspx
http://www.quickheal.co.in/public/alerts/i-worm.VB_Bi.asp
http://www.symantec.com/avcenter/venc/data/w32.blackmal@mm
.removal.tool.html
http://www.f-secure.com/v-descs/nyxem_e.shtml
Common Malware Enumeration CME ID : CME-24

References

http://www.isc.sans.org/diary.php?storyid=1051
http://www.isc.sans.org/diary.php?storyid=1063
http://www.f-secure.com/v-descs/nyxem_e.shtml
http://www.sarc.com/avcenter/venc/data/w32.
blackmal.e@mm.html
http://www.trendmicro.com/vinfo/virusencyclo/
default5.asp?VName=WORM%5FGREW%2EA
http://www.sophos.com/virusinfo/analyses/w32nyxemd.html
http://www.frsirt.com/english/virus/2006/00724
http://virusalert.nl/?show=virus&id=1326
http://us.mcafee.com/virusInfo/default.asp?id=description&
virus_k=138027&affid=102
http://www.norman.com/Virus/Virus_descriptions/28031/en
http://secunia.com/virus_information/12633/win32.blackmal.e/
http://www.microsoft.com/technet/security/advisory/904420.mspx
Disclaimer

The information provided herein is on "as is" basis, without warranty of any kind.

Contact Information

Email: info@cert-in.org.in
Phone: +91 11-24368572

Postal address:
Indian Computer Emergency Response Team (CERT-In)
Ministry of Communications and Information Technology
Electronics Niketan
6, C.G.O. Complex
New Delhi-110 003