On this Friday, February 3rd, Blackworm, an extremely dangerous and rapidly spreading Internet parasite will delete millions of various documents, databases, images and archives stored on hundreds of thousands of computers around the globe. It is not a joke. Blackworm is real, and over 300,000 machines are already infected with it.
The worm, which is also known as Blackmal.e, Nyxem.e, Nyxem.d, Grew.a, Grew.b, Mywife.d, Tearec.a and CME-24 began to spread two weeks ago. The parasite propagates by e-mail via messages with infected attachments and through unprotected network shares. The user can accidentally infect a computer by opening a malicious e-mail attachment or running an infected executable file. Once executed, Blackworm secretly installs itself to the system and runs a spreading routine. The worm uses own mail engine to send bogus letters to all the addresses it finds in local text and spreadsheet documents, presentations, databases and other similar files. It also creates infected files in unprotected network shares located in the same network or domain. The parasite’s payload is very destructive. Blackworm terminates active security-related processes, prevents installed antivirus software from running on every system startup. It also deletes essential executables and library files related to popular antiviruses and other security-related programs and some file sharing applications. All this corrupts installed software and compromises system security. On the third day of every month, Blackworm destroys all text documents (Microsoft Word .doc and Adobe Acrobat .pdf files), spreadsheets (Microsoft Excel .xls files), presentations (Microsoft PowerPoint .ppt and .pps files), databases (Microsoft Access .mdb and .mde files), archives (WinRAR .rar and WinZip .zip files), images (Adobe Photoshop .psd files) and memory dumps (.dmp) it finds in the compromised system. This most probably will lead to catastrophic data losses.
The most interesting fact about Blackworm is that its author runs a counter keeping track of the number of infections. Each infected system actually contacts a web server, where the counter is hosted. This increases the counter by one. At the time of this writing the counter was indicating more than 14 millions of infections. However, further analysis revealed that the real number is much lesser. As it turned out, the site is recording hits, not unique addresses of compromised computers. Furthermore, the worm’s author has launched a Distributed Denial of Service (DDoS) attack on the counter in attempt to hide the actual number of infected machines. Nevertheless, over 300,000 of users or even much more can lose absolutely all personal documents and other important information. And that is very intimidating.
It is not very difficult to avoid the Blackworm infection. Just do not to open any suspicious e-mails and attachments and do not run any unknown files, which have recently appeared on your hard drive. You also have to protect your network shares with strong passwords, immediately update your antivirus software and perform a full system scan. However, users, whose computers have already been infected, will need to take special countermeasures, because updating an antivirus is useless in their case – Blackworm prevents all popular security-related software from running and corrupts installed programs.