Threat Level: green Handler on Duty: Johannes Ullrich

SANS ISC: InfoSec Handlers Diary Blog - New mass mailer spreading (Blackmal/Grew/Nyxem) InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

New mass mailer spreading (Blackmal/Grew/Nyxem)

Published: 2006-01-18
Last Updated: 2006-01-18 03:15:12 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
We got several submissions of new mass mailer worm spreading around. Besides the usual stuff that worms do these days (disable AV programs, scan the local system to find new e-mail addresses) this one is a bit more interesting as the attachment can be either an executable file or a MIME file that contains an executable file.

The sample we received had attachment named Attachments00.HQX - which is actually just an uuencoded file:

begin 664 Attachments,zip                                      .SCR

You can also see a typical "insert a lot of spaces before the real extension" trick.

Detection of the worm is decent with various AV programs and they remain inconsistent for naming as always (Symantec calls this worm W32.Blackmal.E@mm, Trend Micro calls it WORM_GREW.A, while Sophos calls it W32/Nyxem-D - go figure!).
Seems like we'll have to wait more for CME.
0 comment(s)
Diary Archives