Black Worm Hits India hard.

Black Worm Hits India hard.
Posted By Afzal Khan
January 30, 2006

It has been observed that the Black Worm also known as W32.Vb.i or W32.Nayem.E has been actively spreading in India since last two weeks now. It’s a mass-mailing worm that also spread using remote shares. After a long gap there has been an outbreak kind of situation as this worm was successful in spreading all over the globe within few hours when it first appeared over the Internet. The reason why the worm was so successful in spreading all over is just because it spreads by creating a mime encoded compressed executable with a different extension (.HQX, .BHX), which didn’t had any kind of header to classify the file. As a result the mail gateway scanners were not able to decode the attachment and scan the infected files. This is why the worm got skipped even though the mail severs have updated anti-virus scan engines. Many of the leading AntiVirus software’s had to do some changes to their scan engine to make the scanners decode the file and scan for the infected attachment.

AntiVirus Quick Heal form India was the first anti-virus to detect this worm when it first hit the net according to the report generated and published by PC-Wallet Magazine, Germany. According to PC-Wallet, Germany the worm was first caught and detected on 16th January 2006 at 10:00 (GMT) by Quick Heal AntiVirus. For more details on outbreak response time of various other anti-virus software’s world wide check at:
http://www.pcmag.com/article2/0,1895,1916880,00.asp

According to US based LURHQ the leading provider of Threat and Vulnerability Management services this worm has hit hard to countries like India, Italy and Peru with high number of infection rates. Among it India is the hardest hit country by far in terms of overall infection rate till today. Live statistics of infection rate per country can be found on their web site at http://www.lurhq.com/blackworm-stats.html
This worm attaches itself to e-mail messages as an executable file with various different names and occasionally this worm compresses itself by ZIP and encodes the compressed file by mime encoding and then attaches the encoded file to the e-mail messages.

The worm has several network spreading routines. One of them enumerates all available shares, then reads the values of the registry key where personal documents and recently opened files are stored. It copies itself to such folders by the file name with executable extension of the same name as the document in that folder. The worm also copies itself to network shares with the same name. This worm once active first tries to delete the popularly known international anti-virus folders (e.g. Norton AntiVirus, McAfee, Trend etc.)

This worm has a dangerous payload, it will delete all the documents, worksheets, presentations, database files and compressed backup files from the system on every 3rd day of the month. This is very serious payload considering that the worm has spread all over India and the first payload day of 3rd February is arriving very soon. We recommend all our users to have their AntiVirus updated, up and running. All the Quick Heal users are already protected from this worm from day one.

For computer users not having Quick Heal we have a special Black Worm removing tool freely available from our website http://www.quickheal.co.in/public/alerts/i-worm.VB_Bi.asp
More Information
Black Worm Analysis
Free removal tool for Black Worm