Post by Saurabh Jain on Feb 1, 2006 6:08:01 GMT 5.5
On 3 February, the virus will delete all critical data from your machine. And, a report says India is going to be the biggest victim of Black Worm attack.
Tuesday, January 31, 2006: New Delhi: It has been observed that the Black Worm, also known as W32.Vb.i or W32.Nayem.E, has been actively spreading in India for last two weeks now. It is a mass-mailing worm that also spreads using remote shares. After a long gap, there has been an outbreak kind of situation as this worm was successful in spreading all over the globe within few hours when it first appeared over the Internet.
The reason why the worm was so successful in spreading all over is that it spreads by creating a mime encoded compressed executable with a different extension (.HQX, .BHX), which didn’t have any kind of header to classify the file. As a result the mail gateway scanners were not able to decode the attachment and scan the infected files. This is why the worm got skipped even though the mail servers had updated anti-virus scan engines. Many of the leading AntiVirus softwares had to do some changes to their scan engine to make the scanners decode the file and scan for the infected attachment.
AntiVirus Quick Heal from India was the first anti-virus to detect this worm when it first hit the net, according to the report generated and published by PC-Wallet Magazine, Germany. According to PC-Wallet, Germany, the worm was first caught and detected on 16 January 2006 at 10.00 (GMT) by Quick Heal AntiVirus.
According to the US-based LURHQ, a provider of threat and vulnerability management services, this worm has hit hard in countries like India, Italy and Peru, which have reported high number of infection rates. Among them, India is the hardest hit country, by far, in terms of overall infection rate till today.
This worm attaches itself to e-mail messages as an executable file with various names and occasionally this worm compresses itself by ZIP and encodes the compressed file by mime encoding and then attaches the encoded file to the e-mail messages.
The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the registry key where personal documents and recently opened files are stored. It copies itself to such folders by the file name with executable extension of the same name as the document in that folder. The worm also copies itself to network shares with the same name. This worm once active first tries to delete the popularly known international anti-virus folders (eg. Norton AntiVirus, McAfee, Trend etc..).
This worm has a dangerous payload -- it will delete all the documents, worksheets, presentations, database files and compressed backup files from the system on the 3rd day of every month. This is a very serious payload considering that the worm has spread all over India and the first payload day, i.e. 3 February, is arriving very soon. It is recommended that you should have your AntiVirus updated, up and running. All the Quick Heal users are already protected from this worm from day one.
From
www.efytimes.com/fullnews.asp?edid=9930
Tuesday, January 31, 2006: New Delhi: It has been observed that the Black Worm, also known as W32.Vb.i or W32.Nayem.E, has been actively spreading in India for last two weeks now. It is a mass-mailing worm that also spreads using remote shares. After a long gap, there has been an outbreak kind of situation as this worm was successful in spreading all over the globe within few hours when it first appeared over the Internet.
The reason why the worm was so successful in spreading all over is that it spreads by creating a mime encoded compressed executable with a different extension (.HQX, .BHX), which didn’t have any kind of header to classify the file. As a result the mail gateway scanners were not able to decode the attachment and scan the infected files. This is why the worm got skipped even though the mail servers had updated anti-virus scan engines. Many of the leading AntiVirus softwares had to do some changes to their scan engine to make the scanners decode the file and scan for the infected attachment.
AntiVirus Quick Heal from India was the first anti-virus to detect this worm when it first hit the net, according to the report generated and published by PC-Wallet Magazine, Germany. According to PC-Wallet, Germany, the worm was first caught and detected on 16 January 2006 at 10.00 (GMT) by Quick Heal AntiVirus.
According to the US-based LURHQ, a provider of threat and vulnerability management services, this worm has hit hard in countries like India, Italy and Peru, which have reported high number of infection rates. Among them, India is the hardest hit country, by far, in terms of overall infection rate till today.
This worm attaches itself to e-mail messages as an executable file with various names and occasionally this worm compresses itself by ZIP and encodes the compressed file by mime encoding and then attaches the encoded file to the e-mail messages.
The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the registry key where personal documents and recently opened files are stored. It copies itself to such folders by the file name with executable extension of the same name as the document in that folder. The worm also copies itself to network shares with the same name. This worm once active first tries to delete the popularly known international anti-virus folders (eg. Norton AntiVirus, McAfee, Trend etc..).
This worm has a dangerous payload -- it will delete all the documents, worksheets, presentations, database files and compressed backup files from the system on the 3rd day of every month. This is a very serious payload considering that the worm has spread all over India and the first payload day, i.e. 3 February, is arriving very soon. It is recommended that you should have your AntiVirus updated, up and running. All the Quick Heal users are already protected from this worm from day one.
From
www.efytimes.com/fullnews.asp?edid=9930