Tarek Chaaban

Tarek Chaaban, M.Sc's official blog. It contains current web project portfolio, posts regarding his Canadian army experience, news, sports articles, and web tutorials on programming and using social networking technologies.

Nyxem virus

Posted by on 2/02/06 • Categorized as Web News

Nyxem virus , Nyxem removal


Technical Analysis

Win32/Mywife.E@mm spreads as an attachment to mails or over network shares. It can create numerous copies of itself with names such as “WinZip,zip.scr” and “Photos,zip.exe”. The worm disguises the copies in two ways to make it appear that they are not executable files. First, the icon for the file resembles the WinZip icon. Second, the file can have a double extension. The first extension may indicate a multimedia file, such as .mp3 or .wav. The second extension indicates an executable file, but there may be so many spaces between the two extensions that the second extension is not readily visible in a file list. The mail body mentions pictures from the Kama Sutra.

The worm adds data to the registry so that the worm runs each time Windows starts. This is done by adding the value “ScanRegistry scanregw.exe /scan” under the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The worm continually refreshes the registry with this data in case the data is changed.

The worm modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. It deletes product keys from the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices

The list of product keys is:

NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe (it is in the list twice)
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare

Pages: 1 2 3 4 5

3 Comments

  1. sumit
    September 6, 2006

    WINZIP_TMP.exe

  2. mohamed
    May 13, 2007

    i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please

  3. VASU
    September 11, 2007

    i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please

Leave a Response

Please note: comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.