Nyxem virus
Nyxem virus , Nyxem removal
The first time the worm will corrupt the content of those files is on February 3rd, 2006.
The worm locates computers on the network using the network API calls WNetOpenEnum and WNetEnumResource.
It attempts to connect to each machine that it finds as the user “Administrator” with the password “” (blank). It does this via command line, executing the command ‘Net Use \\
It then uses the administrative C$ share to check for the existence of the following folders on the machine, and attempts to delete any files within those folders. Note that this will succeed if either the machine has a blank administrator password, or if the user’s current credentials grant them access to the remote machine:
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
the worm copies itself to the following locations on the remote machine:
\Admin$\WINZIP-TMP.exe (this is an administrative share of the Windows folder)
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\Winzip Quick Pick.exe
The worm uses the ‘at’ command to schedule execution of both \admin$\WINZIP_TMP.exe and \c$\WINZIP_TMP.exe on the remote machine at
WINZIP_TMP.exe
i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please
i couldnt delete the winzip_tmp.exe it spreeds on all of programes what can i do please