Tarek Chaaban

Tarek Chaaban, M.Sc's official blog. It contains current web project portfolio, posts regarding his Canadian army experience, news, sports articles, and web tutorials on programming and using social networking technologies.

Nyxem virus

Posted by on 2/02/06 • Categorized as Web News

Nyxem virus , Nyxem removal

The worm deletes a large number of security and file-sharing related files:

%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton Antivirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
%ProgramFiles%\Morpheus\*.dll

The worm reads folder locations and delete files with the following registry values / file patterns:
HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion\Home Directory – (*.exe)
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV – (*.exe)
HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\Folder – (*.exe, *.*)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe\Path – (*.ppl, *.exe)
HKEY_LOCAL_MACHINE\Sofware\KasperskyLab\Components\101\Folder – (*.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum\InstallLocation – (*.exe)

Win32/Mywife.E can spread by copying itself to writeable network shares. It also spreads by sending a copy or archive of itself as an attachment to e-mail addresses found on the infected computer. The attachments are encoded using MIME, UUENCODE or BASE64 encoding, and have names such as Attachments00.HQX, Video_part.mim, SeX.mim, OriginalMessage.B64, etc. The encoded files within these attachments have names such as SeX,zip.scR, Atta[001],zip].SCR, New Video,zip.sCr, etc.

Pages: 1 2 3 4 5

3 Comments

  1. sumit
    September 6, 2006

    WINZIP_TMP.exe

  2. mohamed
    May 13, 2007

    i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please

  3. VASU
    September 11, 2007

    i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please

Leave a Response

Please note: comment moderation is enabled and may delay your comment. There is no need to resubmit your comment.