Type
: Worm
Category
: Win32
Also known as:
W32.Blackmal.E@mm (Symantec), Win32.Blackmal.F, Win32/Blackmal.F, JS/Blackmal.F, JS.Blackmal.F, Win32/Blackmal.F!CME24, Win32/Blackmal.F!Worm, Win32/Cabinet!Worm, CME-24, WORM_GREW.A (Trend), Kama Sutra Worm, W32/MyWife!ITW#7 (WildList), W32/Mywife.d@MM (McAfee), W32/Nyxem.E (F-Secure), W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), Email-worm.Win32.Nyxem.e (Kaspersky)
Immediate Protection Info
| Signature | Product | Removal Instructions |
|---|
12.4x/2046
| eTrust Antivirus v7/8*
| |
23.71.52
| eTrust Antivirus v7/8* (InoculateIT Engine)
| |
11.x/9615
| eTrust Antivirus v7/8* (Vet Engine)
| |
6.2x/9615
| eTrust EZ Antivirus 6.2x
| |
6.3x/9615
| eTrust EZ Antivirus 6.3x
| |
6.4x/9615
| eTrust EZ Antivirus 6.4x
| |
7.x/9615
| eTrust EZ Antivirus 7.x
| |
10.6x/9615
| Vet Anti-Virus 10.6x
| |
Description
Win32/Blackmal.F is a worm that spreads via e-mail and network shares.
Back to top
Method of Infection
When executed, Win32/Blackmal.F copies itself to the %System% directory using the following file names:
Winzip.exe
Update.exe
scanregw.exe
It also copies itself to the %Windows% directory using the following file names:
WINZIP_TMP.EXE
Rundll16.exe
It then modifies the registry so that "scanregw.exe" is executed at each Windows start:
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ScanRegistry = "scanregw.exe /scan"
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
The worm also drops the legitimate DLL "MSWINSCK.OCK" into the %System% directory.
Back to top
Method of Distribution
Via Network Shares
Blackmal.F attempts to connect to, and then copy itself to the following administrative shares:
\Admin$\WINZIP_TMP.exe
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\WinZip Quick Pick.exe
The worm then adds a job in the scheduled tasks list that executes these files once at the 59th minute of the hour and day it was first executed on.
For example, if the worm was executed at 4 pm, it would schedule a job to run at 4:59 pm.
Via E-mail
Blackmal.F sends e-mail to e-mail addresses harvested from the local machine. It sends e-mail with varying Subjects, Message bodies and Attachment names. The worm harvests addresses from files found on the machine that have the following extensions:
.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF
It avoids sending itself to addesses that contain the following strings in their names:
@YAHOOGROUPS
BLOCKSENDER
SCRIBE
YAHOOGROUPS
TREND
PANDA
SECUR
SPAM
ANTI
CILLIN
CA.COM
AVG
GROUPS.MSN
NOMAIL.YAHOO.COM
EEYE
MICROSOFT
HOTMAIL
MSN
MYWAY
Possible Subjects:
Re: Sex Video
Re:
Fw: Picturs
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fw: SeX.mpg
Fwd: Crazy illegal Sex!
Fw: DSC-00465.jpg
eBook.pdf
Hello
Fw: Real show
the file
Word file
School girl fantasies gone bad
Hot XXX Yahoo Groups
A Great Video
F**kin Kama Sutra pics
ready to be F**KED ;)
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
VIDEOS! FREE! (US$ 0,00)
Part 1 of 6 Video clipe
Miss Lebanon 2006
You Must View This Videoclip!
Possible Message bodies:
What?
Note: forwarded message attached.
forwarded message attached.
i attached the details.
Thank you
hi
i send the details
bye
how are you?
i send the details.
OK ?
Please see the file.
i just any one see my photos.
The Best Videoclip Ever
Some message bodies contain empty image files which may be labeled with one of the following file names:
DSC-00465.jpg
DSC-00466.jpg
DSC-00467.jpg
photo
photo2
photo3
Attachment:
The worm attaches a copy of itself to the e-mail it sends out.
Possible attachment names:
New_Document_file.pif
document.pif
007.pif
eBook.PIF
DSC-00465.Pif
In some cases the worm attaches itself in the form of a uuencoded archive. This file would have to be decoded using a tool such as WinZIP in order to execute the worm. The following lists the archive names it uses followed by the filenames contained within the archive:
Attachments001.BHX
Atta[001],zip[many spaces].SCR
Attachments00.HQX
Attachments,zip[many spaces].SCR
Attachments[001].B64
Attachments[001],B64[many spaces].sCr
Video_part.mim
New Video,zip[many spaces].sCr
Word_Document.hqx
Word.zip[many spaces].sCR
SeX.mim
SeX,zip[many spaces].scR
Sex.mim
WinZip.zip[many spaces].sCR
Word_Document.uu
Word XP.zip[many spaces].sCR
Original Message.B64
ATT01.zip[many spaces].sCR
3.92315089702606E02.UUE
392315089702606E-02,UUE[many spaces].scR
Photos
Photos,zip[many spaces].sCR
Sweet_09
Adults_9,zip[many spaces].sCR
Clipe
Clipe,zip[many spaces].sCr
WinZip.BHX
WinZip.zip[many spaces].sCR
Below are examples of e-mail sent by the worm:
Back to top
Payload
Modifies System Settings via the Registry
The worm deletes the following values from the following registry keys (should they exist):
Keys:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
ccApp
CleanUp
MCUpdateExe
VirusScan Online
McRegWiz
MCAgentExe
VSOCheckTask
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
The worm also sets the following value so that hidden files cannot be seen in Explorer (hence, enabling it to hide its own presence):
HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\ShowSuperHidden = 0
Deletes Files
All files are deleted from the following folders:
%Program Files%\Symantec\LiveUpdate\
%Program Files%\Symantec\Common Files\Symantec Shared\
%Program Files%\McAfee.com\Agent\
%Program Files%\McAfee.com\shared\
The worm deletes all files with a .DLL extension found in the following folders:
%Program Files%\DAP\
%Program Files%\BearShare\
%Program Files%\Grisoft\AVG7\
%Program Files%\TREND MICRO\OfficeScan\
%Program Files%\Morpheus\
It also deletes all .EXE files found in the following locations:
%Program Files%\Norton AntiVirus\
%Program Files%\Alwil Software\Avast4\
%Program Files%\McAfee.com\VSO\
%Program Files%\Trend Micro\PC-cillin 2002\
%Program Files%\Trend Micro\PC-cillin 2003\
%Program Files%\Trend Micro\Internet Security\
%Program Files%\NavNT\
%Program Files%\Kaspersky Lab\Kaspersky Anti-Virus Personal\
%Program Files%\Trend Micro\OfficeScan Client\
Files with .PPL extensions are deleted from the following:
%Program Files%\Kaspersky Lab\Kaspersky Anti-Virus Personal\
Note: %Program Files% is a variable location. The malware determines the location of the current Program Files folder by querying the operating system. A typical location for this folder would be C:\Program Files
The worm also deletes all files found in the following folders in the C$ administrative share:
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
Overwrites Files
On the 3rd day of every month, the worm searches for files on the local drive that have the following extensions:
.doc
.xls
.mdb
.mde
.ppt
.pps
.zip
.rar
.pdf
.psd
.dmp
If it finds such files, it replaces the contents of the file with the following string:
DATA Error [47 0F 94 93 F4 K5]
Closes Windows
The worm terminates any Windows that contain the following strings in their title:
KasperSky
Norton
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
Back to top
For additional information:
Users should note that due to bugs in Blackmal.F's code it may cause affected systems to freeze.
The worm executable uses the Winzip icon.
In order to mask its presence, the worm creates an empty ZIP file in the %System% directory and opens it. The ZIP file is given the same name as the executable that was run, except with the extension ".zip".
The worm also contacts the "webstats.web.rcn.net" site, presumably to record a new system compromise.
Blackmal.F sets the following registry values for its own use:
HKLM\SOFTWARE\Classes\Licenses\(Default)="Licensing: Copying the keys may be a violation of established copyrights."
HKLM\SOFTWARE\Classes\Licenses\5f54e750-ce26-11cf-8e43-00a0c911005a\(Default)="mnlnnimimnoiuilnvjkinnkitjwjnimntntm"
HKLM\SOFTWARE\Classes\Licenses\F4FC596D-DFFE-11CF-9551-00AA00A3DC45\(Default)="mbmabptebkjcdlgtjmskjwtsdhjbmkmwtrak"
HKLM\SOFTWARE\Classes\Licenses\190B7910-992A-11cf-8AFA-00AA00C00905\(Default)="gclclcejjcmjdcccoikjlcecoioijjcjnhng"
HKLM\SOFTWARE\Classes\Licenses\72E67120-5959-11cf-91F6-C2863C385E30\(Default)="ibcbbbebqbdbciebmcobmbhifcmciibblgmf"
HKLM\SOFTWARE\Classes\Licenses\096EFC40-6ABF-11cf-850C-08002B30345D\(Default)="knsgigmnmngnmnigthmgpninrmumhgkgrlrk"
HKLM\SOFTWARE\Classes\Licenses\556C75F1-EFBC-11CF-B9F3-00A0247033C4\(Default)="xybiedobrqsprbijaegcbislrsiucfjdhisl"
HKLM\SOFTWARE\Classes\Licenses\4D553650-6ABE-11cf-8ADB-00AA00C00905\(Default)="gfjmrfkfifkmkfffrlmmgmhmnlulkmfmqkqj"
HKLM\SOFTWARE\Classes\Licenses\57CBF9E0-6AA7-11cf-8ADB-00AA00C00905\(Default)="aahakhchghkhfhaamghhbhbhkbpgfhahlfle"
HKLM\SOFTWARE\Classes\Licenses\9E799BF1-8817-11cf-958F-0020AFC28C3B\(Default)="uqpqnqkjujkjjjjqwktjrjkjtkupsjnjtoun"
HKLM\SOFTWARE\Classes\Licenses\78E1BDD1-9941-11cf-9756-00AA00C00908\(Default)="yjrjvqkjlqqjnqkjvprqsjnjvkuknjpjtoun"
HKLM\SOFTWARE\Classes\Licenses\DC4D7920-6AC8-11cf-8ADB-00AA00C00905\(Default)="iokouhloohrojhhhtnooiokomiwnmohosmsl"
HKLM\SOFTWARE\Classes\Licenses\7C35CA30-D112-11cf-8E72-00A0C90F26F8\(Default)="whmhmhohmhiorhkouimhihihwiwinhlosmsl"
HKLM\SOFTWARE\Classes\Licenses\2c49f800-c2dd-11cf-9ad6-0080c7e7b78d\(Default)="mlrljgrlhltlngjlthrligklpkrhllglqlrk"
HKLM\SOFTWARE\Classes\Licenses\899B3E80-6AC6-11cf-8ADB-00AA00C00905\(Default)="wjsjjjlqmjpjrjjjvpqqkqmqukypoqjquoun"
HKLM\SOFTWARE\Classes\Licenses\B1EFCCF0-6AC1-11cf-8ADB-00AA00C00905\(Default)="qqkjvqpqmqjjpqjjvpqqkqmqvkypoqjquoun"
HKLM\SOFTWARE\Classes\Licenses\6FB38640-6AC7-11cf-8ADB-00AA00C00905\(Default)="gdjkokgdldikhdddpjkkekgknesjikdkoioh"
HKLM\SOFTWARE\Classes\Licenses\E32E2733-1BC5-11d0-B8C3-00A0C90DCA10\(Default)="kmhfimlflmmfpffmsgfmhmimngtghmoflhsg"
HKLM\SOFTWARE\Classes\Licenses\4250E830-6AC2-11cf-8ADB-00AA00C00905\(Default)="kjljvjjjoquqmjjjvpqqkqmqykypoqjquoun"
HKLM\SOFTWARE\Classes\Licenses\BC96F860-9928-11cf-8AFA-00AA00C00905\(Default)="mmimfflflmqmlfffrlnmofhfkgrlmmfmqkqj"
Analysis by Amir Fouda
Back to top