FANDOM


Email-Worm.Win32.Nyxem.E is a worm that runs on Win32.

BehaviorEdit

Nyxem.E worm spreads via the Internet as an attachment to infected messages and via open network resources.

It sends itself to email addresses harvested from the victim computer.

The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size.

InstallationEdit

Once launched, masking its main functionality, the worm creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g.

%System%\Sample.zip

When installing, the worm copies itself to the Windows root, system and start up directories under the following names:

%System%\New WinZip File.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
%System%\WINZIP_TMP.EXE
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
%Windir%\rundll16.exe

The worm then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted on the victim machine:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

 "ScanRegistry"="scanregw.exe /scan"

The worm also modifies the following registry keys:

[HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]

 "WebView"="0"
 "ShowSuperHidden"="0"

Propagation via emailEdit

The worm harvests addresses from files with the following extensions:

dbx
eml
htm
imh
mbx
msf
msg
nws
oft
txt
vc

It also scans files if the names contain the following strings:

content
temporary

When sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server.

Infected messagesEdit

Message subject:

*Hot Movie*

A Great Video

Arab sex DSC-00465.jpg

eBook.pdf

Fuckin Kama Sutra pics

Fw:

Fw: DSC-00465.jpg

Fw: Funny :)

Fw: Picturs

Fw: Real show

Fw: SeX.mpg

Fw: Sexy

Fwd: Crazy illegal Sex!

Fwd: image.jpg

Fwd: Photo

give me a kiss

Miss Lebanon 2006

My photos

Part 1 of 6 Video clipe

Photos

Re:

Re: Sex Video

School girl fantasies gone bad

The Best Videoclip Ever

You Must View This Videoclipe!

Message body:

----- forwarded message -----
>> forwarded message
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. Bye
Hot XXX Yahoo Groups
how are you? i send the details.
i attached the details. Thank you.
i just any one see my photos. It's Free :)
Note: forwarded message attached. You Must View This Videoclip!
Please see the file.
Re: Sex Video
ready to be FUCKED ;)
The Best Videoclip Ever
VIDEOS! FREE! (US$ 0,00)
What?

Attachment name:

007.pif

04.pif

3.92315089702606E02.UUE

677.pif

Attachments[001].B64

document.pif

DSC-00465.Pif

DSC-00465.pIf

eBook.PIF

eBook.Uu

image04.pif

New_Document_file.pif

Original Message.B64

photo.pif

School.pif

SeX.mim

WinZip.BHX

Word_Document.hqx

Word_Document.uu

Propagation via open network resourcesEdit

The worm copies itself to the following network resources as Winzip_TMP.exe:

ADMIN$

C$

Other

If the worm detects any of the registry values listed below on the victim machine, it will delete them:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]

[HKCU\Software\Microsoft\Windows\CurrentVersion\Run]

APVXDWIN

avast!

AVG7_CC

AVG7_EMC

AVG7_Run

AVG_CC

Avgserv9.exe

AVGW

BearShare 

defwatch

DownloadAccelerator

kaspersky

KAVPersonal50

McAfeeVirusScanService

NAV Agent

OfficeScanNT Monitor

PCCClient.exe

pccguide.exe 

PCCIOMON.exe

PccPfw

Pop3trap.exe

rtvscn95

ScanInicio

SSDPSRV

TM Outbreak Agent

tmproxy

Vet Alert

VetTray 

vptray

NPROTECT

ccApp

ScriptBlocking

MCUpdateExe

VirusScan Online

MCAgentExe

VSOCheckTask

McRegWiz

CleanUp

MPFExe

MSKAGENTEXE

MSKDetectorExe

McVsRte

The worm also terminates active applications if the application name contains one of the following strings:

kaspersky 

mcafee 

norton 

removal 

scan 

symantec 

trend micro 

virus 

fix

It will delete all files from the following folders:

%ProgramFiles%\DAP\*.dll 

%ProgramFiles%\BearShare\*.dll 

%ProgramFiles%\Symantec\LiveUpdate\*.* 

%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.* 

%ProgramFiles%\Norton AntiVirus\*.exe 

%ProgramFiles%\Alwil Software\Avast4\*.exe 

%ProgramFiles%\McAfee.com\VSO\*.exe 

%ProgramFiles%\McAfee.com\Agent\*.* 

%ProgramFiles%\McAfee.com\shared\*.* 

%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe 

%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe 

%ProgramFiles%\Trend Micro\Internet Security\*.exe 

%ProgramFiles%\NavNT\*.exe 

%ProgramFiles%\Morpheus\*.dll 

%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl 

%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe 

%ProgramFiles%\Grisoft\AVG7\*.dll 

%ProgramFiles%\TREND MICRO\OfficeScan\*.dll 

%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe 

%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar

All of this actions make the victim machine more vulnerable to subsequent attacks.

It may also download updates to itself via the Internet, without the knowledge or consent of the user.

It will also block the mouse and the keyboard.

On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions:

.doc 
.xls 
.mdb 
.mde 
.ppt 
.pps 
.zip 
.rar 
.pdf 
.psd 
.dmp

Files corrupted by the worm contain the following text:

DATA Error [47 0F 94 93 F4 F5]

VideosEdit

Email-Worm.Win32.Nyxem06:58

Email-Worm.Win32.Nyxem.E

Other VariantsEdit

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.