WORM_NYXEM.E Virus

Legacy_user

Can someone tell me a little about this virus? Ive just picked it up from a normal looking email (not a junk/p0rn type), that was in my personal email account. My virus protection is up to date, and i am about to run a scan to make sure its gone completely but i would like to know how it manifests itself in case the virus hasnt been deleted completely and i start to have problems.

f1charlie

From http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_NYXEM.E:

"This worm propagates by attaching copies of itself to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email message even without using other mailing applications, such as Microsoft Outlook.

Click here to see the details of the email messages it sends out.

It gathers email addresses from files with certain extension names or strings. Any gathered email address becomes the next target for propagation.

It is also capable of using strings from the gathered email addresses or from the subject of email messages received by an affected user. It uses the same data mentioned above for the email message details. It includes the generated string to the subject line. The said routine gives the impression that the email message comes from a known and trusted source.

Moreover, this worm propagates through network shares. It does the said routine by searching the network for ADMIN$ and C$ shares, where it drops a copy of itself using the file name WINZIP_TMP.EXE.

It is also capable of dropping a copy of itself into all folders and drives on an affected system, including floppy drives. Thus, it is able to propagate via floppy disks as well.

Upon execution, it drops and opens a non-malicious .ZIP archive named SAMPLE.ZIP in the Windows system folder in an attempt to mask its malicious routines.

This worm deletes autostart registry entries, as well as associated files of several programs, most of which are related to security and antivirus applications. The said routines may cause referenced programs to malfunction, effectively making the affected system more vulnerable to further attacks.

It closes application windows with names containing certain strings.

In addition, it creates a scheduled task using Windows Task Scheduler on Windows NT, 2000, XP, and Server 2003 to execute itself on the 59th minute of every hour after it is dropped.

This worm accesses the following Web site, which is unavailable as of this writing, to update an online counter of machines currently infected with this worm:

http://websta{BLOCKED}.net/cgi-bin/Count.cgi?df=765247
On the third day of every month, this worm overwrites all files with certain extension names 30 minutes after the affected system is restarted. It overwrites the said files with a certain string.

In addition, it is capable of disabling the mouse and keyboard of an affected system. The said routine renders the machine uncontrollable to the current user."