desinfect the Nymex worm or lose your data the third of february
Nymex or blackworm is a very dangereous worm because it will destroy the third friday of the month all documents in normal formats as .doc, etc....
so it is important to coordinate the cleaning up operation before the THIRD of February
the Internet storm center called upon us
Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "email@example.com" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrichat/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.
Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.
technical cleanup information is here
any connection in your logs to this site with the counter
webstats.web.rcn.net can be interpreted as connection to the virus counter
the total data package is something like that
alert tcp any any -> any 80
(msg:”webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)”;
content:”GET /cgi-bin/Count.cgi|3f|”; depth:23; content:”df|3d|”;
content:”Host|3a 20|webstats.web.rcn.net”; content:!”Referer|3a|”;
classtype:misc-activity; sid:1000376; rev:1;)
http://blogs.securiteam.com/index.php/archives/229 more technical info
http://www.lurhq.com/blackworm.html a deep analysis