Nyxem.E virus delete files payload

F-secure has some details on a dangerous payload for the Nyxem.E virus. (The Nyxem.E virus is very similar to the Email-Worm.Win32.VB.bi that was talked about earlier in the week.) In fact, this virus seems to be spreading fairly well (not the blockbuster spread of older email viruses, but it is spreading.) Anyway, according to f-secure it will on the 3rd of the month, delete all files matching the following patterns. *.doc *.xls *.mdb *.mde *.ppt *.pps *.zip *.rar *.pdf *.psd *.dmp *(on all accessible drives.)

What this means is that IF you have this virus and it’s the third of the month it will delete most all Microsoft Office formatted documents + rar’s, zips, pdf and a few other file formats. Nasty. Technically it doesn’t delete them, but overwrite their data with… “The files’ contens get replaced with a text string “DATA Error [47 0F 94 93 F4 K5]”.”

Through the process of infection it also deletes the following files…..

\Symantec\Common Files\Symantec Shared\*.*
\Norton AntiVirus\*.exe
\Alwil Software\Avast4\*.exe
\Trend Micro\PC-cillin 2002\*.exe
\Trend Micro\PC-cillin 2003\*.exe
\Trend Micro\Internet Security\*.exe
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
\TREND MICRO\OfficeScan\*.dll
\Trend Micro\OfficeScan Client\*.exe
\LimeWire\LimeWire 4.2.6\LimeWire.jar

( The * matches anything for those that don’t know…., so deleting *.dll in a folder deletes this.dll that.dll and the other.dll, without having to explicitly give a delete command for each. Think of it as “delete everything that ends with .dll” to delete *.dll)

   Send article as PDF   

Similar Posts