Nyxem Mass-mailing Worm
added January 24, 2006
US-CERT is aware of a new mass-mailing worm known as Nyxem (CME-24). This worm relies on social engineering to propagate. Specifically, the user must click on a link or open an attached file.
The Nyxem worm targets Windows systems that hide file extensions for known file types (this is the default setting for Windows XP and possibly other versions). The worm’s icon makes it appear to be a WinZip file. As a result, the user may unknowingly start the worm.
Once a Windows system is infected, the malicious code may:
- Attempt to harvest email addresses stored on the infected system
- Utilize its own SMTP engine to send itself to the harvested email addresses
- Disable anti-virus and file sharing programs
- Spread itself using all available Windows network shares on the infected system
- Modify the active Desktop
In addition, on February 3, 2006, the worm will destroy files with the following extensions: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DM.
Although there is limited information concerning this potential threat, US-CERT strongly encourages users and system administrators to implement the following workarounds:
- Install anti-virus software, and keep its virus signature files up-to-date
- Block executable and unknown file types at the email gateway
Additionally, US-CERT strongly encourages users not to follow unknown links, even if sent by a known and trusted source. Users may also wish to visit the US-CERT Computer Virus Resources for general virus protection information.