Protector Plus Download Antivirus
Home
Download Antivirus
Antivirus Products
Order Antivirus


Antivirus Software for Windows XP/2000/2003
Antivirus Software for Windows Me/98
Antivirus Software for Exchange 2000/2003
Antivirus Software for NetWare

W32/Nyxem.D(W32/Grew.A) Worm

Name W32/Nyxem.D(W32/Grew.A) Worm
Aliases WORM_GREW.A, kama, sutra, kama sutra, KamaSutra
Discovered on January 16, 2006

 Virus Information - W32/Nyxem.D(W32/Grew.A) Worm:

W32/Nyxem.D is an email worm. The worm will infect Windows systems and spreads through email and Network Shares.

The infected email carries a spoofed 'From' address picked up randomly from the infected system.

The subject of the infected mail will be any one of the following;

*Hot Movie*
Fw: DSC-00465.jpg
Fw: Funny :)
A Great Video
Fw: Picturs
Fw: SeX.mpg
Fw: Sexy
Fw: Real show
Fwd: Crazy illegal Sex!
Fwd: Photo
Fwd: image.jpg
give me a kiss
My photos
Miss Lebanon 2006
Part 1 of 6 Video clipe
School girl fantasies gone bad
Photos

The body of the infected mail will be any one of the following;

>> forwarded message
Fuckin Kama Sutra pics
forwarded message attached.
Helloi attached the details.
Hot XXX Yahoo Groups
how are you?
hello,
i send the details.
i send the file.
It's Free :)
i just any one see my photos.
Please see the file.
Re: Sex Video
Note: forwarded message attached. You Must View This Videoclip!
ready to be FUCKED ;)
The Best Videoclip Ever
the file i send the details
Thank you
VIDEOS! FREE! (US$ 0,00)
What?

The infected attachment will be any one of the following;

007.pif
677.pif
392315089702606E-02,.scR
Arab sex DSC-00465.jpg
Adults_9,zip.sCR
ATT01.zip.sCR
Clipe,zip.sCr
document.pif
Attachments[001],B64.sCr
DSC-00465.pIf
eBook.pdf
DSC-00465.Pif
image04.pif
New Video,zip
New_Document_file.pif
photo.pif
eBook.PIF
School.pif
SeX,zip.scR
Sex.mim
Video_part.mim
Photos,zip.sCR
WinZip.BHX
WinZip.zip.sCR
WinZip,zip.scR
Word.zip.sCR
Word XP.zip.sCR

The worm also arrives in the encoded format with the following file extension:

.b64
.bhx
.hqx
.uu
.uue

 Upon execution of the infected attachment, the worm copies itself as scanregw.exe in the Windows System folder.

It also drops the following files;

winzip_tmp.exe and Rundll16.exe in Windows folder.
Update.exe, Winzip.exe, sample.zip and winzip_tmp.exe in Windows System folder.
The worm modifies registry at the following location to load itself during each startup.

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

It searches the network for shared folders with the following strings and copies winzip_tmp.exe in it.

admin$
c$

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system.

doc, xls, pdf, ppt, pps, mdb, mde, psd, zip, rar and dmp.

The worm mails itself to these addresses using its own SMTP engine.

It tries to disable some of the security related software.

It disables Mouse and Keyboard of the infected computer.

The worm carries a payload, which will be triggered on 3rd of every month. It alters all files having the following extensions in the compromised computer.

doc, xls, pdf, ppt, pps, mdb, mde, psd, zip, rar and dmp.

Anti virus for Windows Download Now!

Home Page Download Antivirus Antivirus Products Order Antivirus

Copyright © 2005 Proland Software.All rights reserved

antivirus software, anti virus software, anti virus, download antivirus, download anti virus, free antivirus, free anti virus, antivirus, download, free, windows, windows xp, xp, sp2, windows me, windows 2000, 98, 95, nt, me, 2003, netware, anti-virus, virus, worm, trojan, protector, plus, proland, virus software, spyware