Viruses, worms, trojans and other stuff

Tuesday, January 31, 2006

Worm: Nyxem.E

The 'Nyxem.e' is a mass-mailing worm that also tries to spread using remote shares. It also tries to disable security-related and file sharing software as well as destroys files of certain types. It is similar to the '' that was found a few days ago.

Alias: W32/MyWife.d@MM, Kama Sutra, W32.Blackmal.E@mm, Email-Worm.Win32.Nyxem.e

  • Turns off anti-virus applications
  • Sends itself to email addresses found on the infected computer
  • Deletes files off the computer
  • Forges the sender's email address
  • Uses its own emailing engine
  • Downloads code from the internet
  • Reduces system security
  • Installs itself in the Registry

Monday, January 09, 2006

Sober-Z virus reaches pandemic proportions, reports Sophos

Sophos, a world leader in protecting businesses against viruses, spyware and spam, has revealed the top ten viruses and hoaxes causing problems for businesses around the world during the month of December 2005.

The report, compiled from Sophos's global network of monitoring stations, reveals that Sober-Z has taken the world by storm this month, accounting for a massive 78.92% of all malware reported to Sophos. Its domination of the charts is making other current threats pale in comparison, and the Sober threat shows no sign of slowing down.

The top ten viruses in December were as follows:

Position Last
Virus Percentage of reports
Others 9.5%

The highly prolific Sober-Z worm sends itself as an email attachment and attempts to turn off security software on the user's computer. The author of this worm has been operating anonymously for more than two years, and this latest threat is the cyber criminal's most widespread virus yet.

"A key differentiator of the Sober worms is their ability to dupe users. From promising World Cup football tickets, to posing as the FBI or long-lost pal, it seems the Sober family will stop at nothing to ensure that recipients launch the viral email attachment," said Carole Theriault, senior security consultant at Sophos. "The Sober-Z worm stormed to the top of the November 2005 chart and continued to hold the number one spot throughout December. Should the author go ahead and upload malware onto websites for infected machines to grab and run, as anticipated, the worm may disrupt businesses even further."

Microsoft releases critical WMF vulnerability fix early

Experts at SophosLabs have advised computer users to apply a critical Microsoft security patch which protects against a vulnerability in the way Windows handles WMF graphic files. Sophos has seen over 200 different attempts to infect innocent computer users using the flaw which has been public knowledge since late December 2005.

Unusually, Microsoft has issued the critical security update outside of its normal monthly update cycle. Originally Microsoft had indicated that it would not be issuing the patch until Tuesday 10 January, causing some in the security community to express concern that hackers would have a significant opportunity to infect internet users.

"It's good news that Microsoft has been able to issue this patch sooner rather than later. This flaw in Microsoft's software is very dangerous, and is being actively exploited by hackers to distribute malware. It's critical that businesses and home users protect against flaws like this as a matter of priority," said Graham Cluley, senior technology consultant for Sophos. "Our advice to companies and home users to waste no time in implementing this patch."

* Read more about the WMF security vulnerability now, and protect your computers

Home users of Microsoft Windows can visit to have their systems scanned for critical Microsoft security vulnerabilities.

Experts at Sophos are reminding users that hackers are continuing to actively exploit the security hole, even though a fix is now available.

In the latest sighted attacks emails with the subject line "Happy New Year 2" have been spammed out, pointing users to a website pretending to be an online e-card from However, the link really points to a malicious website based in the Netherlands.

"Hackers are in a race against time to infect as many computers as possible through the WMF security hole before companies have a chance to put the patch in place," explained Cluley. "Everyone should apply the patch as soon as possible, and defend their networks with up-to-date anti-virus and anti-spam software."