Home > Administrative Offices > Information Technology > Information Security > Security Alerts > Blackworm

ADVISORY - Nyxem/Blackmal/MyWife/Kama Sutra worm programmed to delete files on Windows PCs

There are reports of a new worm that is infecting Windows PCs. The worm is programmed to delete user files on February 3rd and the 3rd of each month thereafter. The actual spread of the worm is unclear at this time, but the impact on individual PCs could be quite high.

  • The worm is known by a number of names including Nyxem, MyWife, Blackmal, Grew, KillAV, BlackWorm and Kama Sutra.

  • The worm requires user interaction to spread. The user must open the file.

  • The worm is spread primarily through e-mail attachments. It will also spread through network shares. The e-mails entice users with subject lines such as:

    1. The Best Videoclip Ever
    2. School girl fantasies gone bad
    3. A Great Video
  • The worm will attempt to disable most anti-virus products and delete them. The worm will e-mail itself using a variety of extensions and file names. It will add itself to the list of auto-start programs in your registry.
  • The following file types will be overwritten by the virus on local drives: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP.
  • The worm will attempt to spread through network shares.
  • The worm may disguise itself as a WinZip file. However, the file extension (.zip) is not present.

What is Information Security doing to protect my computer?

Trend AntiVirus is freely available to all faculty, staff and students at http://valdosta.edu/antivirus/ which detects the malware. Trend AntiVirus (with up-to-date virus definitions) will often protect against threats like the ones mentioned above.  

Information Technology's SOPHOS anti-spam service will block the incoming worm on campus mail servers; however, this will not protect home users or users of other mail servers.

What can I do to protect myself?

To protect yourself against malware that spreads through user interaction, remember the following:

  • Keep your Anti-Virus software updated with the most current patches and virus definitions. Look for your Trend AnitiVirus icon in the system tray. Highlight your mouse over the icon and the Pattern should state 3.187.00 Engine 8.000 (as of 12:44 Feb. 1, 2006).  If this is not the Pattern or Engine version, right click on the icon and select "Update Now!".
  • As always, exercise care when opening unexpected attachments or links.
  • This particular threat masquerades as a WinZip file by displaying the WinZip file icon without the WinZip extension. Display file extensions by going to the Folder Options control panel, selecting the View tab, and deselecting "Hide extensions for known file types." Be careful about opening WinZip files you have received since January 15.
  • Backup important user files before February 3rd. If you need assistance backing up files, contact your appropriate support staff.

New installations of university supplied antivirus software on campus owned computers should be facilitated by Information Technology by contacting the IT Helpdesk at helpdesk@valdosta.edu.

For more information:

You can read more about this new threat at:

http://www.us-cert.gov/current/current_activity.html#nyxemworm

http://isc.sans.org/blackworm

http://www.f-secure.com/v-descs/nyxem_e.shtml

http://www.pcworld.com/news/article/0,aid,124449,00.asp