February 2nd, 2006 
admin 
Tomorrow awakens the Blackmal virus. The code is set to execute on the 3rd day of every month, tomorrow being the first 3rd day to occur since the virus went into the wild. The virus is a mass email virus that tries to get users to execute it. It uses obscene subject lines to try to get the user to click on the following attachments:
- 007.pif
- 392315089702606E-02,.scR
- 677.pif
- Adults_9,zip.sCR
- Arab sex DSC-00465.jpg
- ATT01.zip.sCR
- Attachments[001],B64.sCr
- Clipe,zip.sCr
- document.pif
- DSC-00465.Pif
- DSC-00465.pIf
- eBook.pdf
- eBook.PIF
- image04.pif
- New Video,zip
- New_Document_file.pif
- photo.pif
- Photos,zip.sCR
- School.pif
- SeX,zip.scR
- Sex.mim
- Video_part.mim
- WinZip,zip.scR
- WinZip.BHX
- WinZip.zip.sCR
- Word XP.zip.sCR
- Word.zip.sCR
- 04.pif
- DSC-00465.Pif
- DSC-00465.pIf
- image04.pif
The virus copies itself as one of the following upon execution:
- %Windir%\Rundll16.exe
- %System%\WINZIP_TMP.EXE
- %System%\SAMPLE.ZIP
- %System%\New WinZip File.exe
- movies.exe
- Zipped Files.exe
- %System%\scanregw.exe
- %System%\Winzip.exe
- %System%\Update.exe
The virus disables mouse and keyboard usage upon first execution. That’s a warning sign. It also displays the above image when it detects virus software. The virus deletes the following files:
- %ProgramFiles%\DAP\*.dll
- %ProgramFiles%\BearShare\*.dll
- %ProgramFiles%\Symantec\LiveUpdate\*.*
- %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
- %ProgramFiles%\Norton AntiVirus\*.exe
- %ProgramFiles%\Alwil Software\Avast4\*.exe
- %ProgramFiles%\McAfee.com\VSO\*.exe
- %ProgramFiles%\McAfee.com\Agent\*.*
- %ProgramFiles%\McAfee.com\shared\*.*
- %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
- %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
- %ProgramFiles%\Trend Micro\Internet Security\*.exe
- %ProgramFiles%\NavNT\*.exe
- %ProgramFiles%\Morpheus\*.dll
- %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
- %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
- %ProgramFiles%\Grisoft\AVG7\*.dll
- %ProgramFiles%\TREND MICRO\OfficeScan\*.dll
- %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
- %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
The virus then collects all email contacts on the infected computer and starts mailing to the recipients. And, on the third day of the month, the virus deletes the following files:
- *.doc
- *.xls
- *.mdb
- *.mde
- *.ppt
- *.pps
- *.zip
- *.rar
- *.psd
- *.dmp
The files are overwritten with the text: DATA Error [47 0F 94 93 F4 F5]
If infected, you should disable system restore, boot into safe mode, and utilize the Symantec Blackmal Removal tool to get rid of the virus. Overall, this isn’t a huge threat.
Posted in 
Hi there..
Nice blog..
Mine is a sci/Tech blog.. if you’re interseted we can link each other on our sites..
Keep posting.. I’ll read your blog often .
Cheers.
how to recover big files are conveted into 1kb?
And while open these fil shows DATA Error [47 0F 94 93 F4 F5]
Thanks & Regards
Rajesh
my pc is affected by kama sutra. how can i recover my important files? mostly excel files. Thanks.