Nyxem E-mail worm bent only on destruction

Wiz Feinberg · Post by **Wiz Feinberg** » 31 Jan 2006 7:23 am

By Byron Acohido and Jon Swartz, USA TODAY
Tue Jan 31, 6:47 AM ET

A fast-spreading e-mail worm is raising alarms because its sole purpose is to obliterate the everyday working documents widely used by consumers, students and businesses.

The Kama Sutra worm - also referred to as Nyxem.E and Grew.A - is unnerving because, unlike other e-mail worms, it appears to be detached from any profit motive.

It is designed to destroy all Microsoft Word, Excel, Access and PowerPoint documents and Adobe Acrobat and Photoshop files on all hard drives connected to an infected PC.

"The amazing part is that there appears to be a lack of any motive behind this except destruction," says David Mayer, researcher at e-mail security firm IronPort Systems.

The worm appears in e-mail in-boxes with subject lines such as "hot movie," "A Great Video" or "Crazy illegal Sex!" enticing the recipient to click on an attachment. One variation makes reference to the ancient Sanskrit book on sexual positions.

By clicking on the attachment, the victim launches a program that disables anti-virus protection. The infected PC then begins to send copies of similarly tainted e-mail to every e-mail address on the victim's hard drive.

Source and full story: http://news.yahoo.com/s/usatoday/20060131/tc_usatoday/emailwormbentonlyondestruction

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Feb 2006 8:35 am

The Kama Sutra worm set to activate February 3, 2006. This worm is known by various names including Nyxem, MyWife, Kama Sutra, Blackmal and others, and is in the Wild.

This worm is believed to have infected anywhere from 200,000 to 700,000 computers worldwide.

The worm is programmed to destroy numerous antivirus program files and Microsoft Office document files, thirty minutes after an infected machine is powered up, on the third day of each month.

It's payload is designed to delete data files created with various MS Office programs, RAR and ZIP files, photo images (.jpg, .raw, etc), and will attempt to delete anti virus program files, disabling your protection.

Symantec has released a free tool that will remove the virus. Download the tool and run it, even if you are certain that you are not infected.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage[This message was edited by Wiz Feinberg on 02 February 2006 at 09:51 AM.]

Wiz Feinberg · Post by **Wiz Feinberg** » 2 Feb 2006 9:26 am

There is something else you can do to minimize the damage caused by virus attacks, and that is to lower your rights from Administrator to Limited User, for the account you are using to browse the Internet.

To do this you must have a separate Administrator Level account. Windows XP Professional allows you to login to Windows as the Administrator, but XP Home does not unless you boot into Safe Mode.

If you are using XP Home, and are currently running as a member of the "Administrators Group" (which is how it ships for the logged in user), go to Start > Control Panel > User Accounts. Click on "Create a new account." Type a name for the new user account, and then click Next. Click Computer administrator or Limited, depending on the type of account you want to assign to the new user, and then click Create Account. The name you assign to the account is the name that will appear on the Welcome screen and the Start menu. The first user you add to the computer must be assigned a computer administrator account.

If you want to change your current account to Limited User you must create a new "Computer Administrator" level account. Follow the process I listed above. Once it has been created and you verify the details, log Off your current account and logon to the new account. Make sure everything works in the new "Computer Administrator" level account, by running Windows Update and defragmenting, then open Control Panel and find your main identity account and click to open it. Click "Change the account type." Click "Limited User" and then click Change Account Type.

Log off the Administrator level account and onto your old identity. You will now be able to browse the Internet, read and send email, use most existing programs and do most of the things you do on a daily basis, except for installing/uninstalling programs, defragmenting, altering system files, or manually running Windows Updates. Viruses, Worms, Trojans and Backdoors will not be able to install themselves either, which is why we go to all this trouble.

When you need to install a program right click on the setup file and select "Run as." If "Run as" is not listed as a right click option hold the Shift Key while right clicking on the setup file, and "Run as" will appear. Click on "Run as" and check the option "The following user." Select the name of the new administrator level account you created, type in the password (it must not be blank) and click OK. Setup will run as usual.

To perform operations that really require full administrator level privileges "Log Off" your daily account, or "Switch Users" and log onto the new administrator level account. From there you can install, uninstall, update, defrag, create and delete to your heart's content. When you are finished log off or switch back to your daily use account.

I know this can be a PITA, but not as much of a pain as cleaning up your system after viruses, Worms, Trojans, Backdoors, or spyware infect it. Most of these threats require full administrator privileges to install and run.

BTW: I am writing this from a limited account, so I know of what I speak.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage[This message was edited by Wiz Feinberg on 02 February 2006 at 09:31 AM.]

Gary Pederson · Post by **Gary Pederson** » 3 Feb 2006 8:07 pm

Wiz
I tried to implement your change above. I have XP Home. I started out with only one account, name "Owner". It will do Microsoft Updates, defrags, program installs. I created a second account as "computer administrator". I switched from "Owner" to the new account. Under the new account I went to Windows Update. On the Windows Update page I get the message that I must be an administrator. Windows Update doesn't seem to recognize my new account as being an administrator account. What am I missing?

Thanks, Gary

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Feb 2006 11:32 am

Gary said: <BLOCKQUOTE>quote:<HR>
I created a second account as "computer administrator"
<HR></BLOCKQUOTE>
Gary;
When you created this new account did you name it Computer Administrator, or did you give it another name and make it a member of the Computer Administrator group?

If you just named it Computer Administrator, but did not change the default group setting from Limited to Computer Administrator it will not make it a member of that group. Go back into the Users management and verify that this new account is a Computer Administrator, not just named that - but a Limited User account.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage[This message was edited by Wiz Feinberg on 04 February 2006 at 11:33 AM.][This message was edited by Wiz Feinberg on 04 February 2006 at 11:35 AM.]

Jim Phelps · Post by **Jim Phelps** » 4 Feb 2006 12:10 pm

I didn't know a virus couldn't install and run itself when logged onto a limited access user account. My training was during the Windows 98 days...

.... if win98 is the same, Dell never told us that...

I don't doubt what you say, Wiz, in fact I have gone ahead and created a limited access acount and am using it (actually I created another account for "admin" and changed my old administrative account to limited, so I'd retain all my current emails and stuff), but I'm amazed that if all you need is a limited account to prevent viruses from running, then why isn't that more widely known, and it would seem to make the anti-virus software unnecessary... ?[This message was edited by Jim Phelps on 04 February 2006 at 12:11 PM.]

Gary Pederson · Post by **Gary Pederson** » 4 Feb 2006 1:50 pm

Wiz:
I named the new account "Gary". I made it a member the "computer administrator" group. When I go to "settings", "control Panel", "user accounts", both "owner" & "gary" are shown as "computer administrator".

Thanks

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Feb 2006 3:24 pm

Gary;
It seems that you have correctly setup the new account. If you have looged into it at least once it should be good to go as an administrator level account. Try defragging from the new account. If defragmenter runs try Windows Update. If Windows Update won't run try going to a random website, like msn.com. If these things work but you still can't get to Windows Update your computer may be owned by a virus, trojan, rootkit, or Hosts file hijacker. Run Microsoft Antispyware, download and run the Microsoft Malicious Software Removal Tool and run a virus scan. Be sure all tool definitions are current. MS Antispyware can detect and remove many rootkits, as can some of the more advanced antivirus products, like Norton 2005 -2006 and F-Secure.

If you run all these scans and still cannot go to Windows Update you should read your Hosts file to see if it has a spurious entry that redirects Windows Updates to the local machine (127.0.0.1). To read Hosts on an XP machine you must first set your folder options to display all files and folders, including system files and folders, and to display all extensions. Then use My Computer to navigate to C:\Windows|System32\Drivers\Etc where you will find a file called HOSTS. Double click it and select Notepad to open it when prompted for the application to use. It will have some text and examples of how to use the file, then there will be a single entry at the end of file, with this:

127.0.0.1 localhost

That should be the last entry. If you see an entry that is something like

127.0.0.1 update.microsoft.com

then delete that entry, and anything else like it, save the file (Alt+F+S) and close it, then try going to Windows Update again.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Feb 2006 3:38 pm

Jim;
It is a fact that most current threats require full administrative privileges to install, but once installed they can control a Limited account. I alluded to that in my reply to Gary. One of the common symptoms of a rootkit attack is the inability to visit Windows Update. A compromised system must be thoroughly cleaned before any account is safe. Sometimes this means Format C: - reinstall OS, validate Windows, Update Windows components and reinstall all programs.

One of the things recommended by security pros including me is to startup with a hardware firewall between the computer and the modem, install the OS, install all drivers for the motherboard and hardware, update Windows with all available patches, and create a new Limited User account. Log off the Admin account and log onto the Limited account. Use the right click option to Run As an Administrator using the credentials of the other account you installed everything from. This way you can run all these programs from your Limited account, while installing from it as Admin. When you have to uninstall, or do other admin level things just switch users, or log off and onto the other admin level account.

Windows Vista operates most applications as a less priviliged user, including Internet Explorer 7. When a function or program requires Admin privileges you are prompted to supply the Admin credentials for that task. Once completed your privileges revert to limited. This a much more secure than operating as an administrator all the time. Even I don't run as Admin unless I am doing maintenance or uninstalling programs, or managing user accounts.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage[This message was edited by Wiz Feinberg on 04 February 2006 at 03:40 PM.]

Gary Pederson · Post by **Gary Pederson** » 4 Feb 2006 7:59 pm

Wiz:
I can now do Microsoft update from my new account. I didn't make any changes. What I did do that was different was Restart & went directly into my new account. Microsoft update now recognized me as "Computer Administrator". Previously I only tested by using "Switch Users" from my orginal account. Now I can I do Microsoft update in my new account after using Switch User from my old account to my new one.
It seems that when you change groups you need to Restart/Reboot & log directly into the new account. You only need to do this once.
I also tried the reverse. I changed my old account to Limited, did a switch user to it & tried the Micosoft update. The update accepted my Limited user account. I then did a restart & went directly into my new Limited user account. Microsoft update now recognized me as a Limited user.

Gary

Wiz Feinberg · Post by **Wiz Feinberg** » 4 Feb 2006 10:59 pm

That's good news Gary! I am glad to have been able to help troubleshoot your problem.

------------------
Bob "Wiz" Feinberg
Moderator of the SGF Computers Forum
Visit my Wiztunes Steel Guitar website at: http://www.wiztunes.com/
or my computer troubleshooting website: Wizcrafts Computer Services,
or my Webmaster Services webpage