Blackworm
Blackworm
Type Mass-mailer worm
Creator
Date Discovered 2004.03.23
Place of Origin Asia?
Source Language Visual Basic
Platform MS Windows
File Type(s) .exe, .scr
Infection Length 76,060 bytes
Reported Costs

Blackworm (also known as Nyxem, Blackmal, Mywife, Tearec, Kama Sutra and Grew) is a destructive family of worms. It was considered an "old-school" worm in both the fact that it had no other visible payload than to trash the computer it infected, and that it (or its last variant) was one of the later worms to spread by e-mail while the email worm was going the way of the boot sector virus. While the original variant of the worm and most subsequent variants date from 2004, Blackworm.E, the most prominent variant was one of the main "stars" of the year 2006, while the ones from 2004 made little impact.

Behavior

Blackworm arrives in an email promising a pornographic movie, picture(s) or link, or sometimes a virus alert. The body of the email and the attachment name also promise pornography or a virus alert. Often, it has a false extension, usually .MPEG with a long underscore and a real .scr extension. This makes it possible that the user may see only the .MPEG extension on most configurations. It may also have an extension of .zip, .exe or .tgz.

When the attachment is executed, the worm creates a folder in the windows directory named TEMPORARY and sets its attributes to hidden. It copies itself as a random name to this folder as well as the system folder. The worm then drops the file Media.Temp.Mpeg in the temporary folder (the one actually belonging to Windows, not the one it has created) and attempts to run Windows Media Player to play it. It also drops the files OSSMTP.dll and oswinsck.dll, which are non-malicious.

Blackworm modifies the local machine run key in a few different ways. The worm adds the file name of the copy of itself it dropped in the system folder as a subdirectory under both the Run and RunServices keys to which it adds the path to the copy of itself in the system folder as a value. It adds the copy of itself in its hidden TEMPORARY folder as the default value for the Run and RunServices keys. This ensures the worm will run before the user logs in. It also modifies the local machine as well as the current user Run and RunServices keys by deleting values related to several antivirus products, making it likely that no antivirus will be running on the system. It then deletes all files in folders related to antivirus programs in the Program Files folder, including:

  • Norton AntiVirus
  • McAfee\McAfee VirusScan\Vso
  • Trend Micro\PC-cillin 2002
  • Trend Micro\PC-cillin 2003
  • Trend Micro\Internet Security
  • Symantec\LiveUpdate

Blackworm then harvests email addresses in MSN Messenger and Yahoo Pager along with those in files with extensions .htm, .dbx. It attempts to find the SMTP server address of the machine, but if it cannot it will use one of the addresses hard coded into the worm. Blackworm sends itself to all of the harvested addresses.

It contains the following text visible when the worm file is opened in a text or binary editor:

  microsoft do u hear me?
  we gon kick u ass an *** u down
  u got my word
  **Black Worm**

Variants


Blackworm produced only a few variants, most of them appeared in 2004. None of those, even the original, had any significant impact. However, Blackworm.E, which first appeared in 2006 on January 17, topped several virus charts for the most of the year.

Blackworm.E

The icon for the Blackworm.E attachment looks like that of a .zip file. Blackworm.E copies itself as the file rundll16.exe in the windows folder as well as scanregw.exe, Update.exe and Winzip.exe in the system folder. It searches the Internet Explorer cache for files with the extensions .HTM, .DBX, .EML, .MSG, .OFT, .NWS, .VCF, .MBX, .IMH, .TXT, and .MSF to harvest email addresses from. It avoids mailing a copy of itself to antivirus companies and Microsoft by avoiding email addresses with their names in them. It also avoids Hotmail, Hotpop and Yahoogroups.
Blackworm.E also spreads through network shares. It attempts to borrow a name from a file that it will use for the file name of the copy by looking in the Shell folders registry key subdirectories of "Recent" and "Personal". If it successfully finds folders referenced by these registry keys, it will take the name of a random file from one of these folders, add .exe to it and copy itself under that name to the network share. If it fails to find a folder or a file it will use New WinZip File.exe, Zipped Files.exe or movies.exe as the file name. Blackworm.E may also try to copy itself under the name WINZIP_TMP.exe to the root of the target network share drive, or to the Administrator's folder on that drive. It may also copy itself to that drive in the startup folder as the name WinZip Quick Pick.exe. It will delete the file WinZip Quick Pick.lnk if it finds it there.

The worm may use an ActiveX control to modify Active Desktop files and launch another copy of itself under the name WinZip_Tmp.exe. It also for some unknown reason, adds several license keys to the Registry. The worm will also open the page of a counter that counts the number of infections.

Blackworm.E also attempts to disable several popular antivirus products, including Norton, Avast!, McAfee, PC-Cillin, Panda and Kaspersky. It also attacks file sharing programs including Bearshare, Limewire and Morpheus in the same way. The worm deletes the startup registry keys of these programs. It then deletes some of their files found in their respective subdirectories under Program Files. The worm then checks the registry again for certain keys associated with antivirus programs and deletes the files they point to. It also closes the windows of any application that has the strings, SYMANTEC, SCAN, KASPERSKY, VIRUS, MCAFEE, TREND MICRO, NORTON, REMOVAL and FIX in their captions.

When Update.exe is executed it checks the date. On the 3rd of any month when the Update.exe file is executed, the worm destroys files with the following extensions: .doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, .dmp. Their contents are replaced with the text string "DATA Error [47 0F 94 93 F4 K5]". It waits 30 minutes after Update.exe is executed (usually right after the user logs in) and then looks for all drives and destroys these files. It may attempt to destroy these types of files on networked drives, however due to some bugs, this may fail on some configurations.

Name

Blackworm was the name given by the creator as is indicated by the text inside. Due to disagreement between antivirus vendor on the name, it is also known by the names Nyxem, Blackmal, Mywife, Tearec, Kama Sutra, Grew and CME 24. One vice president of a division in the firm ScanSafe said this naming confusion became a problem with some users. An organisation known as "Common Malware Enumeration", whose stated goal is to reduce confusion with virus and worm names, has existed since 2005, and naming standards have existed since the CARO naming scheme was adopted in 1991, but no one seems to have paid attention.

Effects

Near the end of the month of January in 2006, Blackworm.E had infected over 300,000 systems all over the world. By the first time it was to deliver its payload, it had 600,000. 90,000 of those were in the US and of those only one company accounted for 75,000 infections. The US, India and Peru accounted for the most infections.

Other Facts

By late 2006, mass-mailer worms as a whole were in decline, as trojan and botnet attacks allowed for more effective attacks. Blackmal.E was an anomaly in this respect. Trojan horses and IRC-controlled bots allow the cracker to target a particular system, rather than getting an uncertain number of random ones and having to count on the user's stupidity for it to spread. Blackworm.E however was clearly intended for little more than sabotage, so a mass-mailing worm was perfect for this purpose.

Sources

Symantec, W32.Blackmal@mm. 2004.03.23

F-Secure Antivirus, Email-Worm:W32/Nyxem.E

Rodney Andres. Symantec, W32.Blackmal.E@mm. 2007.02.17

John Leyden. The Register, Kama Sutra worm crashes malware chart. 2006.02.01

-. -, Kama Sutra wipeout. 2006.01.27

-. -, Virus-infected email hits rock bottom. 2006.10.02

Robert Lemos. The Register, SecurityFocus, Virus names likely a lost cause. 2006.03.11

-. SecurityFocus, Blackmal virus set to delete files. 2006.02.01

Common Malware Enumeration, About CME.

Unless otherwise stated, the content of this page is licensed under Creative Commons Attribution-NonCommercial-ShareAlike 3.0 License