Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
Worms Security IT

Clock Ticking for Nyxem Virus 72

DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem virus. On February 3rd, common documents such as MS Word, Excel or Powerpoint will be overwritten on infected machines. Over 300,000 machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."
This discussion has been archived. No new comments can be posted.

Clock Ticking for Nyxem Virus

Comments Filter:
  • by Anonymous Coward
    Ouch.
  • by TripMaster Monkey ( 862126 ) * on Monday January 30, 2006 @07:47AM (#14597444)

    From TFA:
    Nyxem is thought to have caught out many people by promising porn to those who open the attachments on e-mail messages carrying the virus.
    Honestly, are there still computer users out there...even regular users...who don't know this is a bad idea by now???
  • by Threni ( 635302 ) on Monday January 30, 2006 @07:47AM (#14597448)
    Darwin's virus, you could call it. As long as it disables their internet access too, I don't see the problem.
    • by TripMaster Monkey ( 862126 ) * on Monday January 30, 2006 @07:54AM (#14597473)

      As long as it disables their internet access too, I don't see the problem.

      Unfortunately, that is the problem....it's not going to disable internet access, as that would impair its ability to propogate.

      From F-Secure [f-secure.com]:
      The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares.
      And from E-Security Planet [esecurityplanet.com]:
      Worm-Nyxem-E propagates via email. It sends a copy of itself using its own Simple Mail Transfer Protocol (SMTP) server. Having its own SMTP server allows it to send email messages without relying on email application like Microsoft Outlook.

      • Having its own SMTP server allows it to send email messages without relying on email application like Microsoft Outlook.

        Yet more fuel for the fire of ISPs blocking outbound port 25/tcp connections because of spammers and worms.

        • actually a lot only block non-authenticated 25...so you can use your ISP provided email and no other.. this only protects in that it allows us to trace spammers to a registered account
          • >I>this only protects in that it allows us to trace spammers to a registered account

            It also helps as the rogue SMTP engine would have to use your credentials to send email through your ISP mail server as well. Unless it can pluck that information from some common place in the registry, it would not be able to authenticate and send.
    • If you are looking for a virus that disables internet access, a sure-fire way to do that would be to take out the whole PC. Monkeypoo does just that! VIRUS WARNING: Attention: Computer Labs Inc., makers of Virucide antivirus software have identified a highly dangerous new Trojan worm, MONKEYPOO. It will usually appear in an e-mail with the subject, "Congratulations.You have won!" it will then prompt you to click a link to collect your cash prize. It can also freely spread across networks. Monkeypoo will
  • The motive? (Score:5, Interesting)

    by antifoidulus ( 807088 ) on Monday January 30, 2006 @07:52AM (#14597467) Homepage Journal
    From the article:"It shows a certain intelligence in its design but what's the motive?" he asked, "Pure vandalism does not ring true these days."

    Maybe economic chaos? The virus goes after MS Office files and pdfs, the files that are 9/10 the most economically valuable on a PC. I wonder what the impact of getting rid of massive amounts of these files would be?
    On the plus side, lazy grad students can now say, "The virus ate my thesis" :P
    • Re:The motive? (Score:5, Insightful)

      by dheltzel ( 558802 ) on Monday January 30, 2006 @08:16AM (#14597590)
      Maybe economic chaos? The virus goes after MS Office files and pdfs, the files that are 9/10 the most economically valuable on a PC. I wonder what the impact of getting rid of massive amounts of these files would be?

      Think of it as a long overdue purge of useless and redundant data on the systems of people who can't be bothered to learn a little about how their computer works or even listen to warning from people who do know a bit. Sort of a way of killing off all the stupid ideas and worthless information before they can do any more harm.

      I know that seems harsh, but the only way I learned how crucial backups are was due to some loss of data (personal, fortunately, not the kind that gets you fired). That lesson has remained fresh in my mind for nearly 20 years. If someone survives an attack without great loss, they are more inclined to be complacent about the next threat. If they do lose something of value, they will consider how to reduce their risk in the future (tested backups, run Linux, don't click on email attachments without caution, etc.).

    • Re:The motive? (Score:4, Interesting)

      by Zocalo ( 252965 ) on Monday January 30, 2006 @08:23AM (#14597626) Homepage
      That's kind of what I was thinking too, what with the reported increase in on-line extortion of the "pay us money or suffer a DDoS" type and all. You could mass mail some destructive worm like Nyxem, see which IPs phoned home to report an infection, and if see evidence of a signicant outbreak in a big network offer to disable the thing via it's control channel for a "small" fee. It's getting a little close to the wire for effective blackmail based around Nyxem though, unless such attempts have not been made public of course...

      I have to admit I've been kind of hoping for something like Nyxem that wipes out data would come along for a while now. After all the mainstream media coverage of such worms and trojans, all of which have preached the "don't click on the attachment" line, there is simply no excuse for this kind of thing. Sure, there's not a lot that the less IT aware members of the population are going to be able to do about a 0-day exploit like the recent GDI vulnerability, but a mass-mailing and P2P worm? It's harsh, but I think that losing all their documents is the only way that the IT security message is going to reach some people, and if that wakes them up to more involved stuff as well, then so much the better.

    • by HaydnH ( 877214 )
      "On the plus side, lazy grad students can now say, "The virus ate my thesis" :P"

      So Holmes, you're saying the culprit is a CS grad student with a project due in on the 4th of February?

      Elementary, my dear Watson...
      • If I was the Prof of that CS grad student, then I wouldn't give them any pity. Being a CS grad student means that you should be away that only storing your paper on 1 disk is not a very good idea. Always make backups of your work. Possibly 2 or 3, depending on how important the assignment is. I always did offsite backups of my work, to my hosting company. I had heard enough horror stories of people who had their computer crash and lost all their work.
    • "I wonder what the impact of getting rid of massive amounts of these files would be?"

      I'd be more worried about the impact of files being modified rather than deleted. If a file disappears you'll probably know about it, if the number five in a few of your spreadsheets is turned into a a one and all the ones into fives how long would it take to be discovered.

      The damage would be far worse if you can't tell the extent of it.

      I suppose at least knowing the date this virus is going to start screwing things up
  • av precautions (Score:3, Insightful)

    by AndyST ( 910890 ) on Monday January 30, 2006 @07:53AM (#14597472)

    I'd fancy a virus overwriting common software such as MS Word, Excel or Powerpoint.

    Jokes aside. A colleague wrote to the department to look out for the virus, backup all documents, bla bla.. I replyed, being the one who installed the av software, that updates are run hourly and that everybody is safe if they apply the same precautions which they usually (should) do.

    So who is right? Me or the colleague who eventually said that my reply to all was conterproductive?

    • backups should be done on a scheduled basis by users *anyway*.
      lightening, floods and petty machinery theft could strike, not just viruses.

      so, i'd consider your collegues advice to be "redundant."

    • I would say that you are technically correct, but by doing a reply all that invalidated your colleagues original email, he feels like you smacked him down, ie that your reply also invalidated *him*.

      People are funny like that. No matter how valid your reply is, they take it personlly when you point out that they are wrong.

      I once got a corporate wide email from some guy in some department somewhere, that was telling us to be aware of people calling you on the phone and asking us to punch in a series of digit
      • Regarding your "straight-up urban legend" - I (not a friend of my cousin) had the experience once of walking past the receptionist's desk at work one morning just as she was about to transfer some outside caller (claiming to be the phone company) to a dial tone.

        Curiously, they gave our receptionist exactly the proper sequence of keys to press in order to pick up another trunk, conference in an operator, and then drop out of the call. Of course, this varies from switch to switch. Being the thorough person

    • Re:av precautions (Score:3, Insightful)

      by AntiDragon ( 930097 )
      That's a loaded question! Woo...

      Depends on the reliability of your AV and how well it's monitored (i.e. Can you identify any non-protected machines quickly) as the Virus attempts to disable AV software. Remember - there's always a nice window of opportunity between a virus doing the rounds and your AV software being updated to detect it. In this specific example, it'd only need one infected machine with access to some general shares to cause havoc come Feburary 3rd. Just one machine. AV won't stop a standar
    • Re:av precautions (Score:3, Informative)

      by csirac ( 574795 )
      Backing up is incredibly easy compared to the loss of your data.

      Never put all your eggs in one basket. Trusting that "nothing bad will happen", trusting 3rd-party band-aids like virus scanners and patches only makes you unnecessarily vulnerable.

      Not backing up because you don't believe you will ever need it is just as bad as never patching or never updating your virus scanner, because you believe for some reason you'll never get a virus.

      It's incredibly easy to do, there are so many circumstances which can le
    • Re:av precautions (Score:5, Insightful)

      by andrewmc ( 88496 ) on Monday January 30, 2006 @08:30AM (#14597671)
      So who is right? Me or the colleague who eventually said that my reply to all was conterproductive?
      I'd agree with your colleague on two points: 1) Telling people not to worry about computer security is just plain wrong. Users need to have it in the backs of their mind that while you are indeed trying to protect them, that relying solely on that is an accident waiting to happen. 2) Suppose an infected machine does make it onto your network? Since the virus can destroy files on remote network shares, it is, as I understand it, still possible data loss can occur on remote machines that are "immune" to the virus.
  • by prefect42 ( 141309 ) on Monday January 30, 2006 @08:11AM (#14597570)
    We've had all sorts of warnings about this bugger, but I've yet to actually see an infected machine.

    Is this just hysteria whisked up by the AV vendors?
  • by ticklejw ( 453382 ) on Monday January 30, 2006 @09:10AM (#14597880) Homepage
    Now's a great time for porn-enjoying Windows users to switch to Linux! All the fun of free Internet porn with none of the viral infection.
    • So, let me get this straight. I used to just have to worry about viral infections with real sex. Now I have to worry about infections with Internet sex as well? Where's it going to stop. Thinking about sex makes your palm pilot explode?
  • ...of me is of the opinion that we (people of the web) are better off without all those who aren't bright enough to avoid such a simple infection method. Now, if only the virus could transmit itself out of the computer and take down the user who, for all intents and purposes, installed the thing on it to begin with. Or at least permenently remove them from ever touching the web again.

    That being said, the web would probably be a bit scarier place if viruses/software had that kind of physical power...

    On t

  • From McAfee site it has beening covered since 02-12-05? (Minimum DAT: 4642 (12/02/2005) [nai.com] People should be updated by now....
  • Please be specific (Score:4, Informative)

    by Princeofcups ( 150855 ) <john@princeofcups.com> on Monday January 30, 2006 @12:42PM (#14599721) Homepage
    DoddyUK writes "The BBC is reporting that the countdown has begun for the Nyxem *Microsoft Windows* virus. On February 3rd, common *Microsoft format* documents such as MS Word, Excel or Powerpoint will be overwritten on infected *Microsoft Windows* machines. Over 300,000 *Microsoft Windows* machines have been infected thus far, the main method of infection being the promise of porn in unsolicited emails."

    jfs
  • Missing the point (Score:3, Informative)

    by Joiseybill ( 788712 ) on Monday January 30, 2006 @01:55PM (#14600306)
    This virus is very likely a POC and an advance guard to hold doors open for future infection or botnets.
    As stated by others already, LURHQ has distribution stats. http://www.lurhq.com/blackworm.html [lurhq.com] US infections only number about 5% of total. Peru and India have most of the worldwide population of this. (this is ip-based, and may not be reliable.)
    I haven't seen another mention, but SANS Storm Center has been following this - and actually has made an offer to sysadmins to share info. They limit the info they will give; if you can reasonably establish that you are the RP for a network or subnet - they will send you a list of known infections in your IP range. They have already sent out notice messages to admins of record (whomever the abuse or tech contact is currently on the whois lookup) using a script. [Check the ISC pages if you really want to know - I don't want to flood them by posting a direct email link here.]
    Referred to in the SANS/ISC history on this http://isc.sans.org/blackworm [sans.org] and previous pages - Fortinet has done extensive analysis. This virus has several actions. Most folks already know it deletes files, breaks AV software, and spreads over Windows shares. What hasn't seen much daylight is that it drops a bunch registry entries that grant "trusted" status to the virus. http://www.fortinet.com/VirusEncyclopedia/search/e ncyclopediaSearch.do?method=viewVirusDetailsInfoDi rectly&fid=119856 [fortinet.com] I'm not an expert on this mechanism - but I'd assume that any machine with these "bad" trusts in place could easily be compromised later using code that is authenticated against these bad keys.
    I read M$' page on this virus, http://www.microsoft.com/security/encyclopedia/det ails.aspx?name=Win32%2FMywife.E%40mm [microsoft.com] as well as a few AV pages. None mention these keys, so I would assume they don't fix this problem.
    Any system that has been infected and then cleaned will probably retain these falsified certificates. This leaves a big hole in place, while some users (even the " all your AV is updated hourly folks.. return to your seats" IT guy) - will have a false sense of security on this.
    Thankfully, many AV programs discovered this virus Heuristically. (see links to LURHQ & others) McAfee, Panda, NOD32, and several others identified blocked this virus without needing a signature update. This may be why we don't have 2 million AOL/Comcast sheep spreading the virus.
    This should serve as a strong reminder to backup religiously, use defense-in-depth, and enforce strong registry policies when Windows systems are implemented.
  • A destructive worm is a real throwback to old school nastiness. Who hasn't learned the lesson that destroying the host (or at least attracting attention) really diminishes the lifespan of an infection.

The unfacts, did we have them, are too imprecisely few to warrant our certitude.

Working...