Is everyone ready for Blackworm? (Feb 3)

[Virus Guy]

http://isc.sans.org/diary.php?storyid=1067

Over the last week, "Blackworm" infected about 300,000 systems based
on analysis of logs from the counter web site used by the worm to
track itself. This worm is different and more serious than other
worms for a number of reasons. In particular, it will overwrite a
user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus
signatures. In order to protect yourself from data loss on February
3rd, you should use current (Jan 23rd or later) anti virus
signatures. Note, however, that the malware attempts to
disable/remove any anti-virus software on the system (and does this
every hour while the system is up), so if the machine was infected
before signatures were deployed, obviously, that anti-virus software
can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS,
MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten
with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

 

[Ron Lopshire]

http://isc.sans.org/diary.php?storyid=1067

(http://www.viruslist.com/en/weblog?weblogid=178955189)

"With the activation date drawing near, just make sure your system is
not infected. Unlike GPCode, once the payload has hit, the chances of
you getting your data back will be practically zero."

Ron

 

[Gabriele Neukam]

On that special day, Ron Lopshire, ([email protected]) said...

"With the activation date drawing near, just make sure your system is
not infected. Unlike GPCode, once the payload has hit, the chances of
you getting your data back will be practically zero."

That reminds me of a Klez variant (was it E?) that did similar things
on, IIRC January and June 6th.

I wish that moronic Excellme customer would get his network
configuration trashed, too, so that he can't send me any more of these
worm mails.


Gabriele Neukam

(e-mail address removed)

 

[Heather]

(http://www.viruslist.com/en/weblog?weblogid=178955189)

"With the activation date drawing near, just make sure your system is
not infected. Unlike GPCode, once the payload has hit, the chances of
you getting your data back will be practically zero."

Reminds me of the Michelangelo virus from years ago. I am sure most
*thinking folks* will have made sure their computer is clean.

I wonder if changing the date on the computer might work like it did for
the Michelangelo one......which was how my company handled it way back
then. That has to be at least 10 years ago.

Heather

 

[Noel Paton]

Reminds me of the Michelangelo virus from years ago. I am sure most
*thinking folks* will have made sure their computer is clean.

I wonder if changing the date on the computer might work like it did for
the Michelangelo one......which was how my company handled it way back
then. That has to be at least 10 years ago.

To quote a 'source'
" And no, changing your clock is not a good mitigation ;-)"

certainly, if you're cought at 11:55 on the 2nd, it may be a viable delaying
tactic - but if you've left it that late, you probably have other problems,
as well!

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[Heather]

To quote a 'source'
" And no, changing your clock is not a good mitigation ;-)"

certainly, if you're cought at 11:55 on the 2nd, it may be a viable
delaying tactic - but if you've left it that late, you probably have
other problems, as well!

Oh well, it was a thought. And I wonder if it even worked for
Michelangelo way back when.

All of the AV's will have it in their repertoire anyway.

XX Figgs

 

[Snowsquall]

http://isc.sans.org/diary.php?storyid=1067

Over the last week, "Blackworm" infected about 300,000 systems based
on analysis of logs from the counter web site used by the worm to
track itself. This worm is different and more serious than other
worms for a number of reasons. In particular, it will overwrite a
user's files on February 3rd.

At this point, the worm will be detected by up to date anti virus
signatures. In order to protect yourself from data loss on February
3rd, you should use current (Jan 23rd or later) anti virus
signatures. Note, however, that the malware attempts to
disable/remove any anti-virus software on the system (and does this
every hour while the system is up), so if the machine was infected
before signatures were deployed, obviously, that anti-virus software
can't be expected to clean up the infection for you.

The following file types will be overwritten by the virus: DOC, XLS,
MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten
with an error message( 'DATA Error [47 0F 94 93 F4 K5]').

I talked about this earlier...
It's the SAME virus!
In my spam folder I came accross attachments that ended in hqx, bhx and mim.
I managed to download them and scanned them. My antivirus extracted the
virus and put it in quarantine. It turned out to be Blackmal.E and info can
be found on:
http://www.channelregister.co.uk/2006/01/19/kama_sutra_worm/
http://www.informationweek.com/windows/showArticle.jhtml?articleID=177101528


And James Morrow wrote:
who quoted Gabriele...

On that special day, Snowsquall, ([email protected]) said...


Just for the record: I said, "after having *this* actively on your
machine," All readers, please note the fourth word in my quote. I
didn't mean, "on your machine" as "somewhere as a dumb file", but as
"up, running, and of course running within the current account"


Gabriele Neukam

(e-mail address removed)

"I've seen 9 of these in the last week in Yahoo Groups emails. Norton
reports this.

Source: Attachments,zip .SCR
Description: The email attachment Attachments,zip .SCR within
Attachments00.HQX is infected with the W32.Blackmal.E@mm virus.
Click for more information about this threat : W32.Blackmal.E@mm

What is an HQX extension? As a Windoze user I had to go look it up.

http://filext.com/detaillist.php?extdetail=HQX"

 

[Snowsquall]

miss some symbols on my last post : >>>
Snowsquall (myself) had saidlease see thread on "wierd attachment"

 

[Sylvia M]

Oh well, it was a thought. And I wonder if it even worked for
Michelangelo way back when.

All of the AV's will have it in their repertoire anyway.

XX Figgs

Given all precautions taken, would it make any sense to just
shut down by 11:55 pm on Feb. 2nd, and start up again on the
4th?
I mean just to be sure, theoretically.

Sylvia M.

 

[Noel Paton]

Given all precautions taken, would it make any sense to just
shut down by 11:55 pm on Feb. 2nd, and start up again on the
4th?
I mean just to be sure, theoretically.

I'm not sure whether it will run at time periods past the 3rd - but
certainly, from what I hear, it is set to trigger on the 3rd of every month!

--
Noel Paton (MS-MVP 2002-2006, Windows)

Nil Carborundum Illegitemi
http://www.crashfixpc.com/millsrpch.htm

http://tinyurl.com/6oztj

Please read on how to post messages to NG's

 

[pennysworth]

Given all precautions taken, would it make any sense to just
shut down by 11:55 pm on Feb. 2nd, and start up again on the
4th?
I mean just to be sure, theoretically.

Sylvia M.

I understand that the thing is already in computers and will manifest itself on the third. Is there
any way to check to see if it is already resident?

Pennysworth

 

[lizzieb]

Hi

Symantec have produced a tool
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
as have Protector http://www.protectorplus.com/download/cleannyxem.htm

Lizzie

 

[Snowsquall]

On that special day, Ron Lopshire, ([email protected]) said...


That reminds me of a Klez variant (was it E?) that did similar things
on, IIRC January and June 6th.

I wish that moronic Excellme customer would get his network
configuration trashed, too, so that he can't send me any more of these
worm mails.

It was from a Yahoo newsgroup that sends emails that gave me this worm.
I had talked about it in an earlier thread "weird attachment" and even gave
a link to its description.
Conserned that it would automatically run I did some on line scans and I
came up clean.
If one has uptodate antivirus and has it turned on then there is no danger
at all the worm would run unless it got in before the definitions were
released.
In that case an on line scan may work and if it didn't work and antivirus
was disabled someone would have to scan the harddisk from a network computer
or if worse came to worse remove the harddisk from that computer and put it
in as a slave to another computer and scan it from there.

 

[Snowsquall]

Hi

Symantec have produced a tool
http://securityresponse.symantec.com/avcenter/venc/data/[email protected]
as have Protector http://www.protectorplus.com/download/cleannyxem.htm

Lizzie

One caution about the Symantec removal tool on Windows 98.
If it is run whether you have the virus/worm or not, an important registry
entry will be removed by the tool.
The worm inserts "ScanRegistry" = "scanregw.exe /scan" into the registry but
Windows 98 has a legitimate registry key "ScanRegistry" =
"C:\WINDOWS\scanregw.exe/autorun" which the removal tool removes.
Also the worm tries to disable any windows that have "fix" in their string
or title so unless one is really "techy" its a difficult one to remove.

 

[Virus Guy]

One caution about the Symantec removal tool on Windows 98.
If it is run whether you have the virus/worm or not, an important
registry entry will be removed by the tool.
The worm inserts "ScanRegistry" = "scanregw.exe /scan" into the
registry but Windows 98 has a legitimate registry key
"ScanRegistry" = "C:\WINDOWS\scanregw.exe/autorun" which the
removal tool removes.

I ran the Symantec tool on my 98 system a few hours ago. It created a
..log file which says:

W32.Blackmal.E Remover 1.0.1
W32.Blackmal.E has not been found on your computer.

MSConfig currently tells me that the command "scanregw.exe /autorun"
is still alive and healthy in my registry. Maybe Remover 1.0.0 caused
the behaviour you describe.

 

[Snowsquall]

I ran the Symantec tool on my 98 system a few hours ago. It created a
.log file which says:

W32.Blackmal.E Remover 1.0.1
W32.Blackmal.E has not been found on your computer.

MSConfig currently tells me that the command "scanregw.exe /autorun"
is still alive and healthy in my registry. Maybe Remover 1.0.0 caused
the behaviour you describe.

I have to admit I had a copy of the worm on my desktop.
It was *never* executed but just *ready* for my collection. Some people
keep copies of suspicious files to be scanned before using them. So when
the removal tool is run it thinks you are infected then it will delete the
said registry file.
So before you use the removal tool, remove *all* suspicious files to a
floppy or outside media then run the tool. Then no registry problems.

 

[Virus Guy]

Some people keep copies of suspicious files to be scanned
before using them.

So - ok.

Please elaborate on the "before using them" part.

 

[Snowsquall]

So - ok.

Please elaborate on the "before using them" part.

I was refering in general *any* file that is downloaded whether it be a
game, an application or program from anywhere including bearshare, limewire
or whatever. A file should be kept for a week or two before running. I was
not just refering to email attachments but to everything that is downloaded
from questionable sources. As I said some people keep suspicious files in a
special folder and until they are scanned to be clean by a multiple source
such as VirusTotal then they are considered infected until proven clean.

 

[Offbreed]

Reminds me of the Michelangelo virus from years ago. I am sure most
*thinking folks* will have made sure their computer is clean.

That let's out most of my co-workers.