WORM_NYXEM

NYXEM is a family of memory-resident worms that propagates via sending copies of itself as an attachment to email messages. It sends this to target addresses using its own Simple Mail Transfer Protocol (SMTP) engine. It also spreads via network shares. It does the said routine by searching the network for certain shares, where it drops a copy of itself.

NYXEM, also known as BlackWorm, terminates files and registries related to security and antivirus applications. Moreover, it deletes installation folders and closes windows of the said applications. The said routines may cause referenced programs to malfunction thus making the infected systems more vulnerable to other malicious routines.

Certain variants of NYXEM are activated on every 3rd of the month. This malware family is capable of disabling the mouse and keyboard.

Installation

This worm drops the following copies of itself into the affected system:

• %System Root%\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
• %System Root%\WINZIP_TMP.exe
• %System%\Update.exe
• %System%\Winzip.exe
• %System%\scanregw.exe
• %Windows%\Rundll16.exe
• %Windows%\WINZIP_TMP.exe
• \Admin$\WINZIP_TMP.exe
• \c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
• \c$\WINZIP_TMP.exe
• %Program Files%\WinZip_Tmp.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.. %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Autostart Technique

This worm adds the following registry entries to enable its automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Run
ScanRegistry = "scanregw.exe /scan"

Other System Modifications

This worm adds the following registry entries as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses
{default} = "Licensing: Copying the keys may be a violation of established copyrights."

It modifies the following registry key(s)/entry(ies) as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
WebView = "0"

(Note: The default value data of the said registry entry is "1".)

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
CabinetState
FullPath = "1"

(Note: The default value data of the said registry entry is "0".)

It adds the following registry keys as part of its installation routine:

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\096EFC40-6ABF-11cf-850C-08002B30345D

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\190B7910-992A-11cf-8AFA-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\2c49f800-c2dd-11cf-9ad6-0080c7e7b78d

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\4250E830-6AC2-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\4D553650-6ABE-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\556C75F1-EFBC-11CF-B9F3-00A0247033C4

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\5f54e750-ce26-11cf-8e43-00a0c911005a

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\6FB38640-6AC7-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\72E67120-5959-11cf-91F6-C2863C385E30

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\78E1BDD1-9941-11cf-9756-00AA00C00908

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\899B3E80-6AC6-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\BC96F860-9928-11cf-8AFA-00AA00C00905

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\E32E2733-1BC5-11d0-B8C3-00A0C90DCA10

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\
Licenses\F4FC596D-DFFE-11CF-9551-00AA00A3DC45

It modifies the following registry entries to hide files with Hidden attributes:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
Advanced
ShowSuperHidden = "0"

(Note: The default value data of the said registry entry is "1".)

Dropping Routine

This worm drops the following files:

• %System%\{malware name}.zip
• %System%\MSWINSCK.OCX
• %Windows%\Tasks\At{number}.job
• %Program Files%\Temp.Htt
• %Program Files%\desktop.ini

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.. %Program Files% is the default Program Files folder, usually C:\Program Files in Windows 2000, Server 2003, and XP (32-bit), Vista (32-bit), and 7 (32-bit), or C:\Program Files (x86) in Windows XP (64-bit), Vista (64-bit), and 7 (64-bit).)

Other Details

This worm connects to the following possibly malicious URL:

• http://{BLOCKED}ts.web.rcn.net/cgi-bin/Count.cgi?df=765247