W32/Nyxem-D

Category: Viruses and Spyware Protection available since:16 Jan 2006 00:00:00 (GMT)
Type: Win32 executable file virus Last Updated:16 Jul 2014 13:00:52 (GMT)
Prevalence: No Reports

Download Download our free Virus Removal Tool - Find and remove threats your antivirus missed

W32/Nyxem-D is an email and network worm for the Windows platform.

W32/Nyxem-D copies itself with some of the following filenames:

<Windows>\Rundll16.exe
<System>\scanregw.exe
<System>\Winzip.exe
<System>\Update.exe
<System>\WinZip_Tmp.exe
<System>\New WinZip File.exe
movies.exe
Zipped Files.exe

W32/Nyxem-D sets the following registry entry to run itself on system startup:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
ScanRegistry
scanregw.exe /scan

W32/Nyxem-D also sets the following registry entries:

HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
WebView
0

W32/Nyxem-D may modify registry values under the following locations:

HKCU\Control Panel\BMale
HKCU\Control Panel\DNS

W32/Nyxem-D may drop an empty file to the Windows system folder with the same name as itself but with a ZIP extension and attempts to open it in order to hide its functionality.

W32/Nyxem-D may periodically attempt to download and run an update of itself.

W32/Nyxem-D may attempt to display an icon in the Windows taskbar with the text "Update Please wait" if it detects the presence of anti-virus software. W32/Nyxem-D may also attempt to close windows, terminate programs, remove registry entries and delete files related to security and anti-virus programs.

W32/Nyxem-D sends itself to email addresses it harvests from files on the infected computer, sending itself as if from one contact to another. The emails sent have the following characteristics:

Subject lines include the following, or may be blank:

*Hot Movie*
A Great Video
Arab sex DSC-00465.jpg
eBook.pdf
Fuckin Kama Sutra pics
Fw:
Fw: DSC-00465.jpg
Fw: Funny :)
Fw: Picturs
Fw: Real show
Fw: SeX.mpg
Fw: Sexy
Fwd: Crazy illegal Sex!
Fwd: image.jpg
Fwd: Photo
give me a kiss
Hello
Miss Lebanon 2006
My photos
Part 1 of 6 Video clipe
Re:
Re: Sex Video
School girl fantasies gone bad
The Best Videoclip Ever
the file
Word file
You Must View This Videoclip!

Message bodies include the following, and may contain images that cannot be displayed:

----- forwarded message -----
???????????????????????????? ????????????? ?????? ???????????
>> forwarded message
DSC-00465.jpg DSC-00466.jpg DSC-00467.jpg
forwarded message attached.
Fuckin Kama Sutra pics
hello, i send the file. bye
hi i send the details bye
Hot XXX Yahoo Groups
how are you? i send the details. OK ?
i attached the details. Thank you
i just any one see my photos. It's Free :)
Note: forwarded message attached.
photo photo2 photo3
Please see the file.
ready to be FUCKED :)
VIDEOS! FREE! (US$ 0,00)
What?

Attachments may be executable files or mime files containing executable files. Executable attachment filenames include the following:

007.pif
04.pif
677.pif
document.pif
DSC-00465.Pif
DSC-00465.pIf
eBook.PIF
image04.pif
New_Document_file.pif
photo.pif
School.pif

Mime attachment filenames include the following:

3.92315089702606E02.UUE
Attachments[001].B64
Attachments00.HQX
Attachments001.BHX
eBook.Uu
Original Message.B64
Sex.mim
SeX.mim
Video_part.mim
WinZip.BHX
Word_Document.hqx
Word_Document.uu

Mime attachment filenames also include the following:

392315089702606E-02
Clipe
Miss
Photos
Sweet_09

with one of the following extensions:

.b64
.BHx
.HQX
.mim
.uu
.UUE
.XxE

If the attachment is a mime file, it contains a file with one of the following filenames followed by several spaces and an SCR extension:

392315089702606E-02,UUE
Adults_9,zip
ATT01.zip
Atta[001],zip
Attachments,zip
Attachments[001],B64
Clipe,zip
New Video,zip
Photos,zip
SeX,zip
WinZip,zip
WinZip.zip
Word XP.zip
Word.zip

W32/Nyxem-D attempts to spread to network shares with weak passwords using the name WINZIP_TMP.exe.

download Try Sophos products for free
Download now