If you have a penchant for porn and don’t have an up-to-date virus scanner on your system then you could be headed for trouble come February 3rd:
The worm, named Nyxem.E, was discovered on January 20. It spreads by convincing users to open an executable attachment in their e-mail, tempting them with subject lines such as “Arab sex DSC-00465.jpg,” “Miss Lebanon 2006,” or “School girl fantasies gone bad.” The executable, when run, checks to see if there are any common anti-virus programs running, and if so disables them. It inserts itself into the Windows registry in the standard places such as Software\Microsoft\Windows\CurrentVersion\Run so that it will run on startup, then scans the users’ hard drive for any e-mail addresses it can find to send itself off to the next victim. It also attempts to spread via network shares.
The payload, which is set to execute on the third day of every month and so will first deploy on February 3, does not render the user’s computer inoperative, but instead destroys that user’s data. All Word, Excel, Access, Powerpoint, Acrobat, Photoshop, and some other files including zipped archives are deleted and replaced with the text string “DATA Error [47 0F 94 93 F4 K5].” This could result in some embarrassingly short business presentations scheduled for the beginning of next month.
What’s really interesting about this worm is that it’s written in Visual Basic and uses some pretty well established methods of reproducing itself that all manner of safeguards have been developed for ages ago, yet it’s still one of the fastest spreading threats in the wild at the moment accounting for some 35% of all malware traffic as of this morning. Outlook and Outlook express won’t let you run this attachment if it arrives via email and quite a few ISPs and commercial companies strip executables as they hit the mail server, but that hasn’t stopped it from spreading. Simple social engineering (Look! Free porn!) manages to overcome technological safeguards with ease. You naughty, naughty users!