Computing at Cornell Security

Security Alert: Beware Windows Worm That Deletes Files on Feb 3, 2006 (BlackWorm)

A worm is currently spreading through the Internet that will attempt to delete files on infected Windows computers on Friday, February 3, 2006.

We have not had any reports of this BlackWorm, which Symantec calls W32.Blackmal.E@mm and other companies call Nyxem and MyWife, appearing on campus. Due to its destructive nature, however, we are urging the campus community to take protective action.

- Make sure your anti-virus definitions are up-to-date
  and run a scan of your computer

The Symantec anti-virus definitions of January 17, 2006, or later should be able to detect and stop this threat. The anti-virus filters on CIT's mail servers should also be able to block this. Nonetheless, as always, variants that have not yet been analyzed may appear. To be extra safe, you might want to back up key documents before Feb. 3.

- Be very cautious of any e-mail attachments

This worm spreads largely though e-mail attachments, though it can also be passed along by network shares. Both the message's subject line and the name of the attachment can vary widely.

As is typical with e-mail borne worms and viruses, you may receive infected messages that appear to be from people you know at Cornell. That does not necessarily mean the sender's computer is infected. This worm, like many others, mails itself to any e-mail address it finds. For more information about e-mail worms and viruses, see:

http://www.cit.cornell.edu/computer/security/emailvirus.html


More Details

On February 3 and on any 3rd of the month thereafter, the worm will attempt to overwrite any file with the extension of DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP or ZIP. That means Microsoft Office documents, Microsoft database files, Adobe Acrobat documents, and common compression and archive formats are all vulnerable.

BlackWorm will also attempt to disable any anti-virus software, and spread by mailing itself to any e-mail addresses it finds on the infected computer.

Symantec's write-up of W32.Blackmal.E@mm and removal instructions:

http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

Symantec Anti-Virus is available to all members of the campus community at no charge via Bear Access or at:

http://www.cit.cornell.edu/software/downloads/antivirus/

People working on departmental networks should, as always, consult with local technical support staff for assistance with updating their software and cleaning up any worm or virus infections.

Description from US-CERT (CME-24):

http://www.us-cert.gov/current/current_activity.html#nyxemworm

The SANS Internet Storm Center has been maintaining a nice, somewhat more technical summary of this threat:

http://isc.sans.org/blackworm

 

Thank you for your attention to this message. We hope it has proven useful.

Cornell Information Technologies
IT Security Office

If you need help and don't have access to local technical support personnel for assistance, please contact the CIT Contact Center (HelpDesk) by calling 255-8990, by sending e-mail to helpdesk@cornell.edu, or by visiting 119 CCC. The Contact Center is open Monday-Friday from 8:00 a.m. to 5:00 p.m., with extended phone hours Monday-Thursday from 5:00 p.m. to 8:00 p.m. during the academic year. If the Contact Center is closed and your problem is urgent, contact the Network Operations Center at 255-9900.

You can receive messages like this via e-mail by subscribing to the CIT-Alert-L mailing list, which is used to distribute announcements about significant disruptions or threats to the campus computing and telecommunications environment. Visit the CIT-Alert-L subscription page


Other Cornell security alerts

Computing at Cornell Homepage CUinfo CIT Contact List Send Us Feedback

Last modified: June 04, 2007