, SecurityFocus 2006-02-01
Security experts urged companies on Wednesday to clean their networks of a malicious mass-mailing computer virus, before compromised systems reach the first trigger date and start deleting eleven types of files.
The virus--dubbed Blackmal.E or Nyxem.E by antivirus companies and designated as CME 24 under the Common Malware Enumeration standard--has spread to as many as 600,000 computers, with the three most infected nations--the United States, India and Peru--making up more than half of all compromises.
The virus is programmed to start deleting eleven different types of files on the third of each month, starting with Friday, February 3. The files will be deleted from a computer's local hard drive as well as network-attached storage, a strategy that worried security experts enough to warn about the virus.
"It is nothing special, just pretty simple stuff cribbed from pieces of other worms," said Joe Stewart, senior security engineer for network protection firm LURHQ. "It is just that the person decided to be malicious and wipe the affected computers."
The virus is the most destructive program to hit the Internet recently. In the past few years, virus writers have eschewed outright malicious programs in favor of code that silently infects systems and turns control over to the hacker. Four years ago, the Klez virus spread moderately and threatened to delete several file types. In 1998, the CIH virus, also known as the Chernobyl virus, threatened to delete files and erase the core system code kept in flash memory on the motherboard of certain types of computers.
The move away from such destructiveness is part of the trend among online criminals to turn illicitly-controlled computers into hard cash. Large networks of compromised computers, known as bot nets, can be used to generate money through click fraud or bulk e-mail or can be an attack tool with which to extort money from legitimate Web sites.
"The destructive behavior has really almost completely disappeared in the last five years, because the virus writers gain nothing from deleting your files," said Mikko Hyppönen, chief research officer for antivirus firm F-Secure. "Instead, they are building bot nets or installing keyloggers."
The Blackmal worm is not focused on making a buck, however. Computers that remain infected on February 3 will have eleven types of data deleted from the hard drive, including any Word, Excel, PowerPoint or PDF documents. The seriousness of the virus's impact is still unknown, however. A similar threat posed by the Sober virus, which was supposed to download additional functionality on January 5, largely failed to happen. Because the Blackmal virus does not rely on external Web sites, however, it's unlikely that it will be as easily hobbled.
Some data suggests that the worm will cause some headache for companies and home users. At least two victims, whose computers had the wrong date set, already have reported that the virus deleted files, according to F-Secure. The virus deletes files not only a system's local hard drive, but also any network-attached drives--a characteristic that resulted in one of the two victims, an India-based company, losing a significant number of documents stored on its network.
"We have two people who have contacted us and we have double-checked files from their systems," F-Secure's Hyppönen said. "One (victim's machine) had write access to most to his company's network and the virus had deleted most of the company's data."
LURHQ's analysis also suggested that at least one company could find a large number of files lost. Of the more than 90,000 Windows computer estimated to be infected in the United States, about 75,000 belong to a single company, according to the company's analysis. Because the virus can also spread among Windows computers that shared files on the same local network, once one person's computer is infected through e-mail, other computers in the company are put at risk, especially if the company has not hardened its internal security, LURHQ's Stewart said.
"We have been preaching to people for years against running your network that way--with everyone logged in as administrator and everything opened up on the inside," he said. "That's the sort of configuration that gets hit really hard by this."