[W126 Coupe] Serious computer virus threat!! Please Forward!! -RPH, Faster Computers, Lake Charles, La.

Fri Jan 27 11:24:29 EST 2006

"Once the worm's UPDATE.EXE file is run, it destroys all Microsoft Word,
Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available
drives."

"It's a rather destructive payload. You're looking at probably several
hundred thousand users that would have data loss-and pretty serious data
loss at that," said Alex Eckelberry, president of anti-virus vendor Sunbelt
Software.

 <mailto:Axlehead at Bellsouth.net> 
Urgent Alert Raised for 'Blackworm' D-Day
January 24, 2006

By   <mailto:ryan_naraine at ziffdavis.com> Ryan Naraine 

A high-powered group of security volunteers are raising an "urgent alert"
for a potentially destructive e-mail worm crawling through inboxes, warning
that the worm's payload is capable of completely destroying important
documents on an infected machine.

ADVERTISEMENT
<http://ad.doubleclick.net/jump/eweek.dart/securitynews;abr=!ie;sz=336x280;o
rd=8189007044?>  

The worm, which uses the lure of sexually explicit Kama Sutra photographs to
trick e-mail users into executing an attachment, is programmed to deliver
the destructive payload on the third day of every month.

RELATED LINKS 

*	 <http://www.eweek.com/article2/0,1895,1913701,00.asp> Anti-virus
Software: The Next Big Worm Target? 

*	 <http://www.eweek.com/article2/0,1895,1899776,00.asp> Sober Worm
Code Algorithm Cracked 

*	 <http://www.eweek.com/article2/0,1895,1910077,00.asp> Symantec
Caught in Norton 'Rootkit' Flap 

*	 <http://www.eweek.com/article2/0,1895,1909647,00.asp> Microsoft
Plugs 'Critical' E-Mail Server Holes 

*	 <http://www.eweek.com/article2/0,1895,1908376,00.asp> Will the
Sober Worm Spawn? 

With a D-Day of Feb. 3 fast approaching, members of the MWP (Malicious Web
sites and Phishing) research and operational mailing list have set up a task
force to track the threat and help ISPs identify infected users in their
net-space.

Gadi Evron, CERT manager in Israel's ministry of finance, is coordinating an
industry-wide effort to get businesses and consumers to update anti-virus
definitions to help thwart the continued spread of the worm.

"This risk may turn out to be nothing and whatever happens, the Internet is
NOT going to die ... However effective or ineffective this may be, we urge
users to update their anti-virus [signatures] as soon as possible and scan
their computers and/or networks," Evron said in a call-to-arms
<http://blogs.securiteam.com/index.php/archives/241> message posted on the
SecuriTeam site. 

Is anti-virus software the next big worm target? Click here to read more. 

At 5:00 p.m. on Jan 24, more than 700,000 computers had already been
infected by the worm, according to a stats counter used by the worm author.
Finnish anti-virus vendor F-Secure, said the worm accounts for more than 17
percent of all virus infections in the last 24 hours.

Adding to the confusion is the fact that anti-virus vendors are all using
different names to identify the worm. In addition to Kama Sutra, the worm
has been named Blackworm, Blackmal, MyWife and Nyxem.

According to F-Secure virus researcher Alexey Podrezov, the mass-mailing
worm also tries to spread using remote shares. Once a machine gets infected,
the worm completely disables anti-virus and other security software before
delivering a payload that destroys certain file types.

Once the worm's UPDATE.EXE file is run, it destroys all Microsoft Word,
Microsoft Excel, PowerPoint, PDF, ZIP and PSD files on all available drives.

"It's a rather destructive payload. You're looking at probably several
hundred thousand users that would have data loss-and pretty serious data
loss at that," said Alex Eckelberry, president of anti-virus vendor Sunbelt
Software.

In an interview with eWEEK, Eckelberry said the post-infection clean-up is
made difficult because of the way the worm disables all anti-virus programs.

"When it destroys the data, there's no going to the recycle bin to get it
back. It destructively destroys the data," Eckelberry stressed.

The LURHQ Threat Intelligence Group has
<http://www.lurhq.com/blackworm.html> released Snort signatures to help
enterprises detect infected users in a net-space.

In addition, LURHQ recommends that executables and unknown file types be
blocked at the e-mail gateway to prevent the worm from entering a network.
The attachments sent by the worm may contain the following extensions: pif,
scr, mim,uue, hqx, bhx, b64, and uu.

MIcrosoft plugs 'critical' e-mail server holes. Click here to read more. 

"At this time we have seen almost no infections across our customer base
using our IDS platform and these signatures. Networks which utilize
up-to-date desktop anti-virus on all machines should experience no problems.
However, the worm does attempt to disable AV and security software, so
advising users to test their AV may also be in order. If the AV refuses to
run, it may be an indication of infection by this or another worm,"
according to the LURHQ advisory.

"It is important to note that although the worm enters a network as an
e-mail attachment, once a machine is infected, it will attempt to copy
itself to open MS network C or Admin shares as WINZIP_TMP.exe, so machines
without e-mail access could still be affected. 

"If you have any of these shares open on your network, searching for this
file name on the shares is a good way to tell if anyone has been infected,"
the advisory said.

Check out eWEEK.com's Security Center for the latest security news, reviews
and analysis. And for insights on security coverage around the Web, take a
look at eWEEK.com Security Center Editor
<http://blog.ziffdavis.com/seltzer> Larry Seltzer's Weblog. 

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.pairlist.net/pipermail/mbcoupes/attachments/20060127/ffafdac2/attachment.html