Attack of the Kama Sutra worm |
| |
Kama Sutra/ Nyxem.E worm was detected on 16th January 2006. Cyberoam Unified Threat Management solution was updated and ready to face it the same day. It deploys Kaspersky as a Gateway AV solution. |
| |
| The worm spread through Internet as an attachment to infected messages. It sends itself to email addresses harvested from the victim computer. The worm itself is a PE EXE file written in Visual Basic, packed using UPX. The packed file is approximately 95KB in size, and the unpacked file is approximately 176KB in size. |
| |
| The worm checks the system date and on 3rd of every month. It overwrites files with the following extensions: |
| |
| .doc, .xls, .mdb,
.mde,
.ppt,
.pps,
.zip,
.rar,
.pdf,
.psd,
.dmp |
| |
| Data in these files is lost. The worm also disables antivirus solutions. |
| Before we dwell deeper into the actual technical details of the worm, we need to address the identity crisis that the worm is subjected to. |
| |
| Friday's file-destroying worm goes by many different names by different organizations. We have stuck to “Nyxem.E," rearranged from the acronym for the New York Mercentile Exchange, whose Web site was targeted by the initial variant. |
| |
| While Microsoft Corp and McAfee Inc. named it "Mywife" Symantec Corp. and CA Inc calls it "Blackmal." Most of the media dubbed it as "Kama Sutra". |
| |
| The WMF exploitation has started to take off in the wild and in the coming days and weeks dozens if not hundreds of WMF exploiting sites are likely to be reported. |
| |
| Other names making rounds include, "Nyxem.D," "Kapser," "KillAV," "Grew" and "Blackworm." The official name is "CME-24" |
| |
Customers of one vendor's product, for instance, may believe they are protected against "Nyxem.E" when in fact that vendor uses "D." Or they may hear about "Kama Sutra" but don't realize their product already protects them from "Kapser," prompting phone inquiries that overload support desks. |
| |
| The confusion partly results from the speed with which worms spread and a lack of naming conventions and coordination between the anti-virus solution vendors. |
| |
| Security researchers face many decisions coming up with that initial name. Often, a new outbreak is a variation of an existing worm, so the vendor will use the next letter in the series. However, sometimes the variation is so small that not every vendor calls it a separate version. |
| |
| The U.S. Department of Homeland Security is attempting to unify naming through the Common Malware Enumeration, or CME. The larger outbreaks are assigned a random number — in this case "24" — to bring the various names under a single umbrella. |
| |
| But "CME-24" has been dubbed "Kama Sutra" after the Hindu love manual because of the pornographic come-ons in e-mails spreading it. Media outlets enthusiastically adopted “Kama Sutra,” even though no major security company calls it that. |
| |
| Once the system is infected by the worm, it creates and opens a ZIP archive in the Windows system directory. The ZIP archive has the name as the original executable file, e.g. |
| |
| |
%System%\Sample.zip |
| |
It also copies itself to the Windows’ root, system and start up directories under the following names: |
| |
%System%\New WinZip File.exe |
| |
%System%\scanregw.exe |
| |
%System%\Update.exe |
| |
%System%\Winzip.exe |
| |
%System%\WINZIP_TMP.EXE |
| |
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe |
| |
%Windir%\rundll16.exe |
| |
| It then registers itself in the system registry, ensuring it will be launched each time Windows is rebooted: |
| |
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] |
| |
"ScanRegistry"="scanregw.exe /scan" |
| |
| The worm also modifies the following registry keys: |
| |
[HKCU\ Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced] |
| |
"WebView"="0" |
| |
"ShowSuperHidden"="0" |
| |
| Once it has embedded itself in the host system, the worm harvests addresses from files with the following extensions: |
| |
| |
dbx,
eml,
htm,
imh,
mbx,
msf,
msg,
nws,
oft,
txt, vc |
| |
| It also scans files if the names contain the “content” and “temporary” strings. While sending infected messages, the worm attempts to establish a direct connection to the recipient's SMTP server. |
| |
| The worm infected mail may have different subjects, but predominantly the subject will be pornography related pictures or video clips. I might also contain a “Re” or “Fw:“ label. Some exception might include, “eBook.pdf”, “Fw: DSC-00465.jpg”, “Fw: Funny :)”, “Fw: Real show”, “My photos”. |
| |
| The message of the mail may once range from an explicit “****** Kama Sutra pics” to an enigmatic “What?” |
| |
| The attachment file extension may include, “.pif”, “.uu”, “.UUE”, “.B64”, “.BHX”, “.mim” or “.hqx”. |
| |
The worm copies itself to the following network resources as Winzip_TMP.exe: |
| |
ADMIN$ |
| |
C$ |
| |
| The worm detects the anti-virus deployed on the host system and deletes it. it is able to target AVG, Download Accelerator, kaspersky, McAfee, Notron AV, PCCillin and Trend Micro anti-virus solutions. It also modifies the registry values of the victim machine. |
| |
| All of this leaves the victim machine more vulnerable to subsequent attacks. |
| |
| It may also download updates to itself via the Internet, without the knowledge or consent of the user. |
| |
| It will also block the mouse and the keyboard. |
| |
| On the 3rd of each month, 30 minutes after the victim computer is rebooted, the worm will rewrite files with the following extensions: |
| |
.doc,
.xls,
.mdb,
.mde,
.ppt,
.pps,
.zip,
.rar,
.pdf,
.psd,
.dmp |
| |
| Files corrupted by the worm contain the following text: |
| |
DATA Error [47 0F 94 93 F4 F5] |
| |
|
| 1. |
Reboot your computer in Safe Mode - press and hold F8 while the machine is rebooting and choose Safe Mode from the menu when it appears. |
| |
| 2. |
In Task Manager, terminate processes with the following names: |
| |
|
rundll16.exe |
| |
|
scanregw.exe |
| |
|
Update.exe |
| |
|
Winzip.exe |
| |
|
WINZIP_TMP.EXE |
| |
|
New WinZip File.exe |
| |
|
WinZip Quick Pick.exe |
| |
| 3. |
Manually delete the following files from the Windows root and system directories, and the system registry: |
| |
|
%Windir%\rundll16.exe |
| |
|
%System%\scanregw.exe |
| |
|
%System%\Update.exe |
| |
|
%System%\Winzip.exe |
| |
|
%System%\WINZIP_TMP.EXE |
| |
|
%System%\New WinZip File.exe |
| |
|
%User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe |
| |
| 4. |
Delete the following value from the system registry: |
| |
|
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] |
| |
|
"ScanRegistry" = "scanregw.exe /scan" |
| |
| 5. |
Reboot your computer and check you have deleted all infected messages from all mail folders. |
| |
| 6. |
If any applications have been damaged (in most cases this will be antivirus solutions and firewall programs) you will need to re-install them. |
| |
|
