RSS News Feed News Feed XML News Feed

Home

A.P.B.

Designs

Virus

Exploits

Primers

Definitions

Movies

Police Forces

Home > Virus > Worms > I-Worm.Blackmal.F@mm

 

Virus Name: I-Worm.Blackmal.F@mm

Aliases: Kama Sutra Worm, W32.Blackmal.E@mm, Win32.Blackmal.F, Win32/Blackmal.F, Win32/Blackmal.F!CME24, Win32/Blackmal.F!Worm, Win32/Mywife.E@mm, W32/MyWife.d@MM, W32/MyWife.d@MM!M24, W32/Nyxem-D, W32/Nyxem.E, Email-Worm.Win32.Nyxem.e, WORM_GREW.A, WORM_GREW.B, W32/Small.Kl@mm, CME-24, Win32/Cabinet!Worm

 

The Kama Sutra Worm, as it's commonly being called, or the Blackmal Worm, as it is more properly known as, is a worm which spreads via both e-mail and network shares.  It is written in Visual Basic, and compiled as p-code, and disables both the mouse and keyboard to aid in infection.

It first copies itself to the Windows directory as one of a few programs including WINZIP_TMP.EXE, Rundll16.exe, or scanregw.exe, then modifies the registry to run scanregw on start-up, and to hide itself as well.  It then drops the DLL file MSWINSCK.OCK into the System directory, and schedules itself to run at the first 59th minute of the hour after it was first executed.  For example, if Blackmal first executed at 1820 hours (6:20 pm), it would run at 1859 hours (6:59 pm).

Blackmal F obtains e-mail addresses from files with .htm, .dbx, .eml, .msg, .oft, .nws, .vcf, .mbx, .imh, .txt, or .msf extensions, and sends copies of it out using its own SMTP engine.  It varies the subject line, body text, and attachment names to avoid detection, but almost all files end in .pif.  The Kama Sutra Worm won't send copies of itself to Computer Information Security type addresses and tries to disable anti-virus type programs from running on start-up.  It also tries to remove their signatures etcetera too.

This worm uses Winzip's icon to hide behind, and may freeze up some systems because of its buggy code.  Another name for Blackmal or Kama Sutra is Nyxem or MyWife.  On the third day of each month, any files with .zip, .rar, .doc, .xls, .pdf, .ppt, .pps, .psd, .mdb, .mde, or .dmp extensions, found on the hard drive, are overwritten with, "DATA Error," by the Blackmal F Worm, and it connects to webstats.web.ren.net which has a counter on it to update the number of infected computers.

 

 

Copyright (c) 2006, 2008  A. Ryan Robbins.  All Rights Reserved.

 

 

Google
 
Web ycopfiles.com

 

 

Privacy

Copyright

About

Contact

Site Map

Blog Frog