Check Point Advisories

Preemptive Protection against Blackworm

Check Point Reference:	CPAI-2006-006
Date Published:	25 Jan 2006
Severity:	Medium
Last Updated:	Tuesday 08 May, 2007
Source:	F-Secure
Protection Provided by:
Who is Vulnerable?	Windows 2000 Windows 95 Windows 98 Windows Me Windows NT Windows Server 2003 Windows XP
Vulnerability Description	BlackWorm is a worm that uses its own SMTP engine to spread using remote shares. The worm also tries to disable security-related and file sharing software as well as destroys files of certain types, including .DOC, .ZIP, .XLS and more. Blackworm usually attaches itself to e-mail messages as an executable file with the .pif extension. Blackworm is also known as Nyxem-D, MyWife, Kama Sutra, Grew and CME-24 virus.
Vulnerability Details	Using its own SMTP engine, BlackWorm spreads using different subjects, email bodies and attachments. The following file types will be overwritten by the worm: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message ( 'DATA Error [47 0F 94 93 F4 K5]').