Nyxem.e scheduled to strike on February 3rd

30 Jan 2006
Virus News

A dangerous email worm deletes data from infected machines on the 3rd of every month

Kaspersky Lab, a leading developer of secure content management solutions that protect against viruses, Trojans, worms, spyware, hacker attacks and spam, warns users against Email-Worm.Win32.Nyxem.e, which potentially poses a serious threat. This malicious program spreads via the Internet as an attachment to infected messages, and also in files placed on open network resources. It's estimated that hundreds of thousands computers around the world are infected, and the number of infected machines is continuing to increase.

Nyxem.e's payload is triggered on the third of every month, when the worm will destroy data saved on the victim machine. The worm regularly checks the system time. When the system data is the third of the month, 30 minutes after the victim machine is booted, Nyxem will delete information from common file formats, replacing data with a meaningless set of symbols.

"Internet watchdogs are confirming Kaspersky Lab statistics – that is, significant numbers of computers are infected with Nyxem.e. February 3, 2006 could turn out to be a very difficult day with unprotected users losing data and the Internet community at large suffering from heavy traffic", predicts Eugene Kaspersky, Head of Research and Development at Kaspersky Lab. "All users should avoid launching email attachments that have not been scanned. They should also update their antivirus databases and then scan their computers to make sure that their machines are Nyxem free."

The worm itself is a Windows PE EXE file, approximately 95KB in size. The file arrives attached to an email which will have one of about 25 different subjects. The message body and attachment name will also vary, being chosen from among 20 possible variants, and this makes it more difficult to instantly identify an infected message.

The worm is activated when the user opens the attachment. Once the worm has been launched, it creates a Windows ZIP archive which will have the same name as the attachment, and then opens it. When installing itself to the system, the worm copies itself to the Windows root and system directories under a range of names. It also registers itself in the system registry, ensuring that the worm will be launched each time Windows is rebooted on the victim machine.

The worm sends itself to email addresses harvested from the victim machine. In order to do this, it establishes a direct connection with the recipient's SMTP server. It also copies itself to shared network resources on the victim machine. This increases the spread of its potential reach.

The worm terminates processes connected with security solutions, and prevents them from being launched. Nyxem.e is also capable of downloading updates to itself via the Internet.

Detection for Email-Worm.Win32.Nyxem.e has been added to Kaspersky Lab antivirus database updates. More detailed information about Nyxem.e is available in the Kaspersky Virus Encyclopedia.

About Kaspersky Lab

Kaspersky Lab (www.kaspersky.com) develops, produces and distributes secure content management solutions that protect customers from IT threats. Kaspersky Lab's products protect both home users and corporate networks from viruses, spyware, adware, Trojans, worms, hackers and spam. For many years now, the company has waged a battle against malicious programs, and in doing so has gained unique knowledge and skills that have resulted in Kaspersky Lab becoming a technology leader and acknowledged expert in the development of secure content management solutions. Today, Kaspersky Lab's products protect more than 200 million users worldwide and its technology is licensed by leading security vendors globally. To find out more about Kaspersky Lab, visit www.kaspersky.com.