Current virus a timebomb: explodes this week
- 31 January, 2006 07:44
The "timebomb" virus slated for detonation this week was written primarily to cause extensive damage and has the potential to wreak havoc in large, networked environments like enterprises.
Initially on February 3, and on the third of each month after, the Nyxem virus (Sophos W32/Nyxem-D) is designed to automatically overwrite files such as the access database, .doc files as well as Excel and Powerpoint files (.pps and .ppt) in infected computers and also spread via network connections.
While most antivirus companies released a specific fix nearly two weeks ago, a common trait of the virus is disabling or corrupting antivirus programs.
Sean Richmond, senior technical consultant with antivirus firm Sophos, said only a small number of infected computers had been discovered so far. Richmond said from the behaviour of the virus to date, it looks like it was designed by someone throwing a tantrum - not as a specific and malicious tool.
"Nyxem is not designed for financial gain, nor does it offer more advanced techniques like buffer overflows ... it appears to be just an attempt to do damage and I don't know whether it was designed by someone wanting to be a nuisance," Richmond said.
"It does not install remote access tools or open backdoors which is far more common nowadays with people attempting to get control of system; all Trojans spammed out lately aim at hooking into IRC and allowing remote control.
"It is a bit rare and unusual to see viruses deleting files, because it draws too much attention."
Adam Biviano, Trend Micro senior systems engineer said the virus is designed to be activated on the third of every month and release the payload.
Biviano said the virus represents a shift away from malicious code carrying benign payloads towards something even they have not seen in sometime: destroying data to create real damage.
"This is nothing new, a timebomb in a virus, is by no means a new technique," Biviano said.
"The Michelangelo virus in the 90s waited for a specific annual date to do damage, but I have not seen any behave like this for some time. It also saves itself on the hard disk with a filename that looks familiar to the user, or masks itself as a common application."
For more information go to http://cme.mitre.org/.