Tuesday, January 24, 2006 11:09 AM
SANS - Internet Storm Center - BlackWorm Summary
BlackWorm Summary (NEW)
Last Updated: 2006-01-24 17:04:18 UTC by Johannes Ullrich (Version: 1)
Over the last week, "Blackworm" infected more then 700,000 systems as measured using a counter web site used by the worm to track itself. This worm is different and more serious then other worms for a number of reasons. In particular, it will delete a user's files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures.
We will try to postmore detailed cleanup instructions later. However, it is likely that you will have to rebuild the system from scratch. Obtaining good backups is critical as a first step.
The first thing you should do is to update your anti virus signatures.
This page will be updated as new information becomes available. Please see the end of the page references to other sites.
As usual, this worm/virus has collected a number of names from various vendors. It is so far known as: Blackmal, Nyxem, MyWife, Tearec among other names. At this time, a CME ID number is not yet available.
Joe Steward (Lurhq.com) provided the following snort signatures based on his analysis of the worm:
This sig alerts if someone visits any counter at webstats.web.rcn.net without a Referrer: header in their URL. Could be an infected user, could be one of us checking out the counter stats:
alert tcp any any -> any 80
(msg:"webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)";
content:"GET /cgi-bin/Count.cgi|3f|"; depth:23; content:"df|3d|";
content:"Host|3a 20|webstats.web.rcn.net"; content:!"Referer|3a|";
classtype:misc-activity; sid:1000376; rev:1;)
This sig alerts on the specific pattern BlackWorm uses to test connectivity to www.microsoft.com. It's unique in that the request doesn't have a
User-agent: header. So this will catch BlackWorm and possibly other automated requests to microsoft (which could happen if someone codes a sloppy app that uses the exact same pattern - but they should probably be flogged anyway)
alert tcp any any -> any 80
(msg:"Agentless HTTP request to
www.microsoft.com (possible BlackWorm
content:"GET / HTTP/1.1|0d0a|Host|3a20|www.microsoft.com|0d0a|
classtype:misc-activity; sid:1000377; rev:1;)
We would like to thank the members of the BlackWrom task force for analysis and coordination. This task force involves many in the security (anti spam, CERTs, anti virus, academia, ISP's, etc.) community and industry, working together to combat threats to the security of the Internet in cooperation with law enforcement globally.
Note: some of these links will offer removal tools. We have not tested any of these tools thoroughly enough to recommend them. They should be used as a "first try" tool, but do not substitute for a full analysis and possible rebuild of the infected system. BlackWorm includes the ability to install additional components. These additional components, if installed, will likely be missed. In addition, a virus like BlackWorm is likely an indication of a more fundamental problem in your security posture and multiple infections are likely.