W32.Blackmal.E@mm / Kama Sutra Virus

If you are new here, you may want to subscribe to our feed.

Tomorrow awakens the Blackmal virus. The code is set to execute on the 3rd day of every month, tomorrow being the first 3rd day to occur since the virus went into the wild. The virus is a mass email virus that tries to get users to execute it. It uses obscene subject lines to try to get the user to click on the following attachments:

• 007.pif
• 392315089702606E-02,.scR
• 677.pif
• Adults_9,zip.sCR
• Arab sex DSC-00465.jpg
• ATT01.zip.sCR

…

• Attachments[001],B64.sCr
• Clipe,zip.sCr
• document.pif
• DSC-00465.Pif
• DSC-00465.pIf
• eBook.pdf
• eBook.PIF
• image04.pif
• New Video,zip
• New_Document_file.pif
• photo.pif
• Photos,zip.sCR
• School.pif
• SeX,zip.scR
• Sex.mim
• Video_part.mim
• WinZip,zip.scR
• WinZip.BHX
• WinZip.zip.sCR
• Word XP.zip.sCR
• Word.zip.sCR
• 04.pif
• DSC-00465.Pif
• DSC-00465.pIf
• image04.pif

The virus copies itself as one of the following upon execution:

• %Windir%\Rundll16.exe
• %System%\WINZIP_TMP.EXE
• %System%\SAMPLE.ZIP
• %System%\New WinZip File.exe
• movies.exe
• Zipped Files.exe
• %System%\scanregw.exe
• %System%\Winzip.exe
• %System%\Update.exe

The virus disables mouse and keyboard usage upon first execution. That’s a warning sign. It also displays the above image when it detects virus software. The virus deletes the following files:

• %ProgramFiles%\DAP\*.dll
• %ProgramFiles%\BearShare\*.dll
• %ProgramFiles%\Symantec\LiveUpdate\*.*
• %ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
• %ProgramFiles%\Norton AntiVirus\*.exe
• %ProgramFiles%\Alwil Software\Avast4\*.exe
• %ProgramFiles%\McAfee.com\VSO\*.exe
• %ProgramFiles%\McAfee.com\Agent\*.*
• %ProgramFiles%\McAfee.com\shared\*.*
• %ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
• %ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
• %ProgramFiles%\Trend Micro\Internet Security\*.exe
• %ProgramFiles%\NavNT\*.exe
• %ProgramFiles%\Morpheus\*.dll
• %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
• %ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
• %ProgramFiles%\Grisoft\AVG7\*.dll
• %ProgramFiles%\TREND MICRO\OfficeScan\*.dll
• %ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
• %ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar

The virus then collects all email contacts on the infected computer and starts mailing to the recipients. And, on the third day of the month, the virus deletes the following files:

• *.doc
• *.xls
• *.mdb
• *.mde
• *.ppt
• *.pps
• *.zip
• *.rar
• *.pdf
• *.psd
• *.dmp

The files are overwritten with the text: DATA Error [47 0F 94 93 F4 F5]

If infected, you should disable system restore, boot into safe mode, and utilize the Symantec Blackmal Removal tool to get rid of the virus. Overall, this isn’t a huge threat.

Digg it Add to del.icio.us Stumble it add to technorati

Related Posts:

Phone Virus in the Wild
Nokia 6600The Cabir virus has now become the first United States mobile phone virus in the wild. The virus...

Get Your Free Anti Virus Here
In an age of ubiquitous software, there really isn't any excuse not to have almost any software you want. ...

CommWarrior.A Cell Phone Virus
The first mobile phone virus utilizing the Mobile Messaging System (MMS), has been discovered. It has been found circulating...

Video iPods Shipped with RavMonE Virus
How's this for a PR nightmare? It seems that one of Apple's contract manufacturers has released some video ipods...

Best Buy Sold Virus Laden Picture Frames
Let me see, file this under supplier mishaps you never want.  It seems Insignia supplied Best Buy with picture frames...

•