W32/Nyxem-C

Please follow the instructions for removing worms.

Please read the instructions for removing W32/Nyxem-C.

W32/Nyxem-C is an internet worm which spreads via network shares and by sending itself to contacts in the Outlook address book, to Yahoo Messenger and Yahoo Pager contacts and to email addresses found within files that have an extension of HTM or DBX. W32/Nyxem-C is an internet worm which spreads via network shares and by sending itself to contacts in the Outlook address book, to Yahoo Messenger and Yahoo Pager contacts and to email addresses found within files that have an extension of HTM or DBX.

Message subject lines include:

"Beethoven's Symphony No", "New_Stories HighwayBlues", "Ohhh", "hi", "For You", "Free Pic's Video", "none", "[none]", "help me", "you", "Please Read", "Important" and "reactive now".

W32/Nyxem-C is attached to messages as moderater.baT, The_Members.BaT or as part of a ZIP archive whose filename contains one of the following strings:

"Download.3gpzip.z", "The_movie_3zip.z", "Nokia_6600zip.z", "part_4Zip",
"Video_Live.zip", "Beethoven's Symphony No", "New_Stories HighwayBlues",
"_DVD_Viedo.Zip.z", "_Audio_XP.GZ", "_Zipped_File.Z", ".XP2002.Zip.scr" or
".DvD_Xp.scr".

Harmless files may be included in the zip attachment with filenames such as Vide01.jpg.

The following spoof addresses may be used in the message:

Thomas, <thomas_gay6@iopus.com>
vip, <sandra@oxygen.com>
Lola Ashton, <linda200@gmail.com>
Bad Love, <user377@worldsex.com>
Ralph, <fack_back06@mail.com>
Genius, <gustes@msn.com>
Sweet Women, <admin@newmovies.com>
Sara GL, <hot_woman2362@freevideos.net>
The Moon, <lost_love705@yahoo.com>
Binnn MT, <King_sexy@hotmal.com>

W32/Nyxem-C copies itself to network shares as "Good music.scr" or with
filenames beginning "Beethoven's Symphony No" or 'New_Stories HighwayBlues'.

When run W32/Nyxem-C tries to mask its true purpose by launching the Microsoft Media Player executable.

W32/Nyxem-C copies itself to the following locations:

%Program Files%\Internet Explorer\Media Player.exe
%WINDOWS%\Task.exe
%SYSTEM%\Connection.exe
%SYSTEM%\Downloading.DVD_____________________________________.exe
%SYSTEM%\File-04-Music.DVD_____________________________________.scr
%SYSTEM%\SoundTrack01.CD_____________________________________.exe
%SYSTEM%\The_Members.BaT
%SYSTEM%\moderater.baT
%SYSTEM%\movie009.pif
%SYSTEM%\new-video977.DVD____________________________________.scr
%SYSTEM%\reactive_group.bAt

W32/Nyxem-C also copies itself to the system folder using the name of an existing executable file, but with an ending of 'm.exe' replacing the original extension, for example W32/Nyxem-C may copy itself to the system folder as NOTEPADm.exe, twunk_16m.exe or winhlp32m.exe.

W32/Nyxem-C also creates a new sub-folder of the Windows folder named VOLUME\
with the hidden attributes set and copies itself to this folder using the name of an existing file. The pathname of this copy is added to new sub-keys of the following registry entries so that it is run on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

The following harmless files are created:

%SYSTEM%\About_BlackWorm.C.txt
%SYSTEM%\Beethoven's_Symphony_No.rm
%SYSTEM%\New_Stories__Highway_Blues.rm
%SYSTEM%\Vide01.jpg
%SYSTEM%\about.txt

The library DLL OSSMTP.DLL is dropped to the system folder and registered as a COM object creating registry entries under:

HKCR\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
HKCR\Interface\{3EC61E06-D128-41E3-8BBD-D8048BF6F2EC}
HKCR\Interface\{4F0A64F5-9E1E-42DB-9A58-34AEC4AA15DC}
HKCR\Interface\{7735921B-5977-4FE9-B28E-4DBE5E98C6A3}
HKCR\Interface\{98416333-DC4C-4F02-9A5B-F33C7580380E}
HKCR\Interface\{9ABAF239-5028-47C1-8B05-D9C50EE0CAC1}
HKCR\Interface\{CCD12224-C0E1-407C-A023-5FBB7DBA32BC}
HKCR\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
HKCR\OSSMTP.SMTPSession

OSSMTP.DLL is a legitimate COM library for Microsoft Visual Basic, providing functionality to send emails. To de-register OSSMTP.DLL run:

regsvr32 /U OSSMTP.DLL

W32/Nyxem-C also sets the following registry entries:

HKCU\Identities\Email
HKCU\Identities\Outlook Express
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\Name = "BlackWorm"
HKCU\Software\Nico Mak Computing\WinZip\
WinIni\SN = "2AD00ED6"
HKCU\Software\Nico Mak Computing\WinZip\
caution\NoBetaMessage = "1"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu1 = "C:\WINDOWS\system32\2.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu2 = "C:\WINDOWS\system32\3.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu3 = "C:\WINDOWS\system32\1.zip"
HKCU\Software\Nico Mak Computing\WinZip\
filemenu\filemenu4 = "C:\WINDOWS\system32\4.zip"
HKCR\.chm\Num = 2
HKCR\.chm\1 = "Beethoven's Symphony No"
HKCR\.chm\2 = "New Stories Highway Blues "
HKLM\SYSTEM\ControlSet001\Services\TlntSvr\Start = 2
HKLM\SOFTWARE\Microsoft\Active Setup\
Security = <pathname of W32/Nyxem-C executable>

W32/Nyxem-C tries to terminate and remove selected anti-virus and security related applications and deletes selected sub-keys of the following registry entries to prevent applications from running on startup:

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices\
HKCU\Software\Microsoft\Windows\CurrentVersion\Run\

Sub-keys include: NPROTECT, ccApp, ScriptBlocking, MCUpdateExe, VirusScan Online, MCAgentExe, VSOCheckTask, McRegWiz, McVsRte, PCClient.exe, PCCClient.exe, PCCIOMON.exe, pccguide.exe, PccPfw, tmproxy, McAfeeVirusScanService, NAV Agent, SSDPSRV, rtvscn95, defwatch, vptray, Taskmon, KasperskyAv, system., msgsrv32, Windows Services Host, Explorer, Sentry, ssate.exe, winupd.exe, au.exe, OLE, gigabit.exe, Norton Antivirus AV, reg_key, Windows Update, _Hazafibb, win_upd.exe, JavaVM, Services, winupdt, Traybar, key, erthgdr, wersds.exe and Task.