25-01-06

desinfect the Nymex worm or lose your data the third of february

Nymex or blackworm is a very dangereous worm because it will destroy the third friday of the month all documents in normal formats as .doc, etc.... 

 

so it is important to coordinate the cleaning up operation before the THIRD of February

 

the Internet storm center called upon us

Blackworm infected machines reported to a 'counter' site the fact that they got infected. The TISF BlackWorm task force obtained the logs from this counter, and is notifying networks represented in the logs. These notifications will use a from address of "handlers@sans.org" or "Randy_Vaughn@Baylor.edu". Please e-mail jullrichat/sans.org if you would like to obtain a list for your network, and have not received an automated e-mail.

Please include information to support that your e-mail address is associated with administering the respective networks, or a phone number to validate the information.

http://isc.sans.org/diary.php?storyid=1073&rss

 

technical cleanup information is here

http://isc.sans.org/diary.php?storyid=1067&rss

 

any connection in your logs to this site with the counter

webstats.web.rcn.net  can be interpreted as connection to the virus counter

 

the total data package is something like that

alert tcp any any -> any 80
(msg:”webstats.web.rcn.net count.cgi request
without referrer (possible BlackWorm infection)”;
content:”GET /cgi-bin/Count.cgi|3f|”; depth:23; content:”df|3d|”;
content:”Host|3a 20|webstats.web.rcn.net”; content:!”Referer|3a|”;
classtype:misc-activity; sid:1000376; rev:1;)

 

http://blogs.securiteam.com/index.php/archives/229  more technical info

http://www.lurhq.com/blackworm.html a deep analysis

 

 

23:25 Gepost door technology changes fast not a lot | Permalink | Commentaren (0) |  Facebook |

De commentaren zijn gesloten.