Skip navigation.
Home

Nyxem.E

NOTE: Thanks jupe, I really appreciate the contribution. I am attaching some more related files and some new stuff. V.

Nyxem.E is a mass mailing worm that also tries to spread using remote shares. Rename this sample to Attachment.bhx, then uncompress using a utility like Winzip.

Writeup

You can read a good writeup on this worm at: http://www.symantec.com/avcenter/venc/data/w32.blackmal.e@mm.html

I have no affiliation with symantec, however this is the most complete writeup i've seen on this one to date.

writeup

in my believe fortinet has little bit better overview of this nyxem.e malware.

http://www.fortinet.com/VirusEncyclopedia/search/encyclopediaSearch.do?method=viewVirusDetailsInfoDirectly&fid=119856

other have missed ocx component, symantec mentiones
HKEY_LOCAL_MACHINE\SOFTWARE\Classes\Licenses thing, but
not as detailed as fortinet and there is also active
desktop spreading.

lys.

Analysis

#################################
FILE TYPE: MS-DOS executable (EXE), OS/2 or MS Windows
MD5SUM: 1c66904ecb846da5b1fb2072f9ea6e0e
SHA1SUM: 968f93cfcd9c3df6713db66bce69c0e6f451fdc5
SHA256SUM: 1ef090562ef527b99873c9a48c33a3d6e7014acc2f8d6c3f801c7b4c988cc013
A/V SCAN: MS-DOS executable (EXE), OS/2 or MS Windows
PACKER: [!] UPX v1.24 compressed !
UPX 0.89.6 - 1.02 / 1.05 - 1.24 -> Markus & Laszlo [Overlay]
#################################

AntiVir Found Worm/KillAV.GR
ArcaVir Found Worm.Vb.Bi
Avast Found Win32:VB-CD
AVG Antivirus Found nothing
BitDefender Found Win32.Nyxem.E@mm
ClamAV Found Worm.VB-8
Dr.Web Found Win32.HLLM.Generic.391
F-Prot Antivirus Found W32/Kapser.A@mm
Fortinet Found W32/Grew.A!wm
Kaspersky Anti-Virus Found Email-Worm.Win32.Nyxem.e
NOD32 Found Win32/VB.NEI
Norman Virus Control Found Small.KI@mm
UNA Found I-Worm.VB
VBA32 Found Email-Worm.Win32.VB.bi

THis thing pretends to be winzip.

There are tons of strings but these are the useful ones:

0 ns1.hotmail.com
00006D64 00407B64 0 YAHOO
00006D84 00407B84 0 ns1.yahoo.com
00006DA4 00407BA4 0 HOTMAIL.COM
00006DC4 00407BC4 0 Control Panel\MExchange
00006DF8 00407BF8 0 HELO
00006E14 00407C14 0 MAIL FROM:
00006E40 00407C40 0 RCPT TO:
00006EF0 00407CF0 0 Control Panel\BMale
000072D8 004080D8 0 209.90.0.2
000073C4 004081C4 0 yahoo.com
000073DC 004081DC 0 Control Panel\DNS
00007410 00408210 0 216.127.148.150
00007434 00408234 0 msn.com
00007448 00408248 0 65.212.161.150
0000746C 0040826C 0 202.232.15.92
0000748C 0040828C 0 70.84.234.226
000074AC 004082AC 0 http://www.microsoft.com

http://webstats.web.rcn.net/cgi-bin/Count.cgi?df=765247

CREATES FILES:

82 10:13:54 PM Atta[001].scr:1572 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF73C2.tmp SUCCESS Options: Create Access: All
348 10:13:54 PM Atta[001].scr:1572 CREATE C:\WINDOWS\SYSTEM32\Atta[001].zip SUCCESS Options: OverwriteIf Access: All
822 10:13:55 PM Atta[001].scr:1572 CREATE C:\WINDOWS\Rundll16.exe SUCCESS Options: OverwriteIf Access: All
838 10:13:55 PM Atta[001].scr:1572 CREATE C:\WINDOWS\SYSTEM32\scanregw.exe SUCCESS Options: OverwriteIf Access: All
915 10:13:55 PM Rundll16.exe:1256 CREATE C:\DOCUME~1\macdaddy\LOCALS~1\Temp\~DF8E66.tmp SUCCESS Options: Create Access: All
1161 10:13:55 PM Rundll16.exe:1256 CREATE C:\WINDOWS\Rundll16.exe SHARING VIOLATION Options: OverwriteIf Access: All
1165 10:13:55 PM Rundll16.exe:1256 CREATE C:\WINDOWS\SYSTEM32\scanregw.exe SUCCESS Options: OverwriteIf Access: All
1495 10:13:57 PM Rundll16.exe:1256 CREATE C:\Documents and Settings\macdaddy\Local Settings\Temporary Internet Files\Content.IE5\VDK7SXDZ\Count[1].gif SUCCESS Options: Create Access: All

REGISTRY KEYS CREATED

59 13.34086895 Atta[001].scr:1572 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Access: 0x2
70 13.44396496 Atta[001].scr:1572 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateProcess NOT FOUND
71 13.44398308 Atta[001].scr:1572 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateObject NOT FOUND
226 13.46167088 Atta[001].scr:1572 CreateKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Security\P3Global SUCCESS Access: 0xF003F
227 13.46170330 Atta[001].scr:1572 CreateKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Security\P3Sites SUCCESS Access: 0xF003F
249 13.47611618 Atta[001].scr:1572 CreateKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2001F
286 13.47845268 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
289 13.47862053 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
324 13.48018742 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
327 13.48032856 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
338 13.48069763 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
341 13.48083496 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
981 13.57764053 Atta[001].scr:1572 CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
1201 13.60961723 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
1204 13.60976315 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
1257 13.61864662 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2fa2820-3cac-11da-84a5-806d6172696f}\ SUCCESS Access: 0x2000000
1264 13.61925507 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c3-3cad-11da-8f2a-806d6172696f}\ SUCCESS Access: 0x2000000
1271 13.61974430 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c2-3cad-11da-8f2a-806d6172696f}\ SUCCESS Access: 0x2000000
1322 13.62303543 Atta[001].scr:1572 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
1325 13.62317657 Atta[001].scr:1572 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
1333 13.62478733 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
1336 13.62492847 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
1344 13.62576675 Atta[001].scr:1572 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
1347 13.62590218 Atta[001].scr:1572 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
1660 13.68205643 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping SUCCESS Access: 0x2001F
4804 14.30231380 Atta[001].scr:1572 CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
4807 14.30243874 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Access: 0xF003F
4933 14.35206890 Rundll16.exe:1256 CreateKey HKLM\SOFTWARE\Microsoft\Cryptography\RNG SUCCESS Access: 0x2
4944 14.41610336 Rundll16.exe:1256 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateProcess NOT FOUND
4945 14.41612244 Rundll16.exe:1256 QueryValue HKLM\SOFTWARE\Microsoft\OLE\MinimumFreeMemPercentageToCreateObject NOT FOUND
5100 14.47182178 Rundll16.exe:1256 CreateKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Security\P3Global SUCCESS Access: 0xF003F
5101 14.47216511 Rundll16.exe:1256 CreateKey HKCU\SOFTWARE\Microsoft\Internet Explorer\Security\P3Sites SUCCESS Access: 0xF003F
5123 14.49271393 Rundll16.exe:1256 CreateKey HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2001F
5160 14.50158596 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
5163 14.50258064 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
5198 14.50845718 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
5201 14.50908089 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
5212 14.51120281 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
5215 14.51172256 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
5855 14.57509613 Rundll16.exe:1256 CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
5869 14.57871723 Rundll16.exe:1256 CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
5872 14.57883263 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Access: 0xF003F
6279 14.59858513 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Internet Explorer\Extensions\CmdMapping SUCCESS Access: 0x2001F
6456 14.63581848 Rundll16.exe:1256 CreateKey HKLM\Software\Microsoft\Tracing SUCCESS Access: 0xF003F
6487 14.65723515 Rundll16.exe:1256 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
6528 14.66201305 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2001F
6559 14.66384125 Rundll16.exe:1256 CreateKey HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
6563 14.66473866 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\User Shell Folders SUCCESS Access: 0x2000000
6583 14.66765881 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon SUCCESS Access: 0x2001F
6615 14.66913509 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders SUCCESS Access: 0x2000000
6619 14.66937256 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2
6628 14.66962433 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
6632 14.66975594 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
6636 14.66988277 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x20006
6643 14.67017937 Rundll16.exe:1256 CreateKey HKCC\Software\Microsoft\windows\CurrentVersion\Internet Settings SUCCESS Access: 0x2
6646 14.67033482 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x1
6649 14.67042542 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\windows\CurrentVersion\Internet Settings\Connections SUCCESS Access: 0x2
6717 15.40786457 Atta[001].scr:1572 CreateKey HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run SUCCESS Access: 0xF003F
6720 15.40797901 Atta[001].scr:1572 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced SUCCESS Access: 0xF003F
7382 16.65624619 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{e2fa2820-3cac-11da-84a5-806d6172696f}\ SUCCESS Access: 0x2000000
7389 16.65935898 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c3-3cad-11da-8f2a-806d6172696f}\ SUCCESS Access: 0x2000000
7396 16.66001511 Rundll16.exe:1256 CreateKey HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\MountPoints2\{c9e3a8c2-3cad-11da-8f2a-806d6172696f}\ SUCCESS Access: 0x2000000

Thank you

Thanks a lot for the sample. I was searching for this one because the payload seemed to be nasty :)

Iam downloading it just now, so let's see how it all goes...

Cheers
Kish

--
Remember there is alwayz someone who knows more than us out there

Oh, great !

A very big thanks.