W32.Blackmal.E@mm
Discovered: January 17, 2006Updated: February 13, 2007 12:50:39 PM
Also Known As: CME-24, Win32.Blackmal.F [Computer Ass, Email-Worm.Win32.Nyxem.e [F-Se, Email-Worm.Win32.Nyxem.e [Kasp, W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]
Type: Worm
Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP
W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.
High level detection - Here are some symptoms that may help determine the presence of W32.Blackmal.E@mm.
Uses its own SMTP engine to send an email with a copy of itself as an attachment.
Look for non-mail server machines sending port 25 traffic
Enumerates the computers in the same domain as the host computer by using WNetOpenEnum. The worm then executes the command "net use \\[COMPUTER NAME] /user:administrator """ to connect to that computer. However, if the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.
Look for locked user accounts due to brute password attacks
Attempts to access the following URL: [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247
Look for any computer that accessed this website. Isolate and use the repair tool or scan with updated defs