Zone Labs LLC Smarter Security™
Products
Resources
Check Point
Zone Labs Security Advisory Severity: High

BlackWorm Email Worm

Overview:  BlackWorm is an email worm that uses its own SMTP engine to spread through e-mail and open network shares. Blackworm is also known as BlackWorm/Nyxem/Blackmal/Blueworm/Grew. This vulnerability has been classified as "High Risk." Computer users should take appropriate action to be protected against this worm.

Date Published: January 25, 2006
Date Last Revised: January 25, 2006

Impact: Using its own SMTP engine, BlackWorm spreads using different subjects, email bodies and attachments.  The attachments sent by the worm may contain the following extensions: pif, scr, mim, uue, hqx, bhx, b64, and uu.  On February 3rd, computers that are infected with BlackWorm will have the following file types overwritten by the worm: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message ('DATA Error [47 0F 94 93 F4 K5]').

Platforms Affected:
Windows 2000
Windows 95
Windows 98
Windows Me
Windows NT
Windows Server 2003
Windows XP

Zone Labs Products:
To ensure the most comprehensive protection, computer users should employ ZoneAlarm® Security Suite, or ZoneAlarm Pro. Zone Labs products are not vulnerable to this attack. All Zone Labs security products, including ZoneAlarm, protect the user's system from unauthorized access and intrusions, and alert the user when malicious code attempts to access the network.

Recommended Actions:
Check Point Integrity®:
Check Point Integrity protects your system against this vulnerability through the following available services:

Advanced Cooperative Enforcement
Use Advanced Cooperative Enforcement to enforce policy upon remote endpoints.

Anti-Virus Rules
Anti-Virus Rules enforce version of AV engines and definition files. Integrity Administrators should download the latest engine(s) and definition file(s).

Classic Firewall Rules
It is recommended that you ensure:
• Only trusted hosts are in the ‘Trusted’ Zone.

E-Mail Protection
It is recommended that you block both inbound and outbound *.pif, *.scr, *.mim, *.uue, *.hqx, *.bhx, *.b64, and *.uu emails using E-Mail Protection.

SmartDefense Program Advisor
SmartDefense Program Advisor automatically blocks malware. It is recommended that you ensure the following:
• Internet Zone Security is set to High.
• Trusted Zone Security is set to Medium.
For more information about activating SmartDefense Program Advisor, please refer to CPSA-2005-10.

ZoneAlarm Family:
ZoneAlarm Pro and ZoneAlarm Security Suite protect your system against this vulnerability through "Internet Zone Security" and "Trusted Zone Security".
It is recommended that you ensure the following:

  • Internet Zone Security is set to High.
  • Trusted Zone Security is set to Medium.
  • Only trusted hosts are in the ‘Trusted' Zone.
  • Block both inbound and outbound *.pif, *.scr, *.mim, *.uue, *.hqx, *.bhx, *.b64, and *.uu emails using E-Mail Protection.
  • Update antivirus products to provide the most up-to-date protection.

Safeguard your system from the Malicious Feb. 3 BlackWorm with ZoneAlarm® Antivirus.
Click here for more info.

Related Resources:

Contact: Zone Labs customers who are concerned about information contained in this advisory or have additional technical questions may reach our Technical Support team at: http://www.zonelabs.com/support/ . To report security issues with Zone Labs products contact security@zonelabs.com .

Disclaimer: The information in the advisory is believed to be accurate at the time of publishing based on currently available information. Use of the information constitutes acceptance for use in an AS IS condition. There are no warranties with regard to this information. Neither the author nor the publisher accepts any liability for any direct, indirect, or consequential loss or damage arising from use of, or reliance on, this information. Zone Labs and Zone Labs products, are registered trademarks of Zone Labs Incorporated and/or affiliated companies in the United States and other countries. All other registered and unregistered trademarks represented in this document are the sole property of their respective companies/owners.


Copyright: ©2006 Zone Labs LLC All rights reserved. Zone Labs, TrueVector, ZoneAlarm, and Cooperative Enforcement are registered trademarks of Zone Labs LLC The Zone Labs logo, Check Point Integrity and IMsecure are trademarks of Zone Labs, LLC. Check Point Integrity protected under U.S. Patent No. 5,987,611. Reg. U.S. Pat. & TM Off. Cooperative Enforcement is a service mark of Zone Labs LLC All other trademarks are the property of their respective owners.

Any reproduction of this alert other than as an unmodified copy of this file requires authorization from Zone Labs. Permission to electronically redistribute this alert in its unmodified form is granted. All other rights, including the use of other media, are reserved by Zone Labs LLC.

 

 

Copyright © 1999-2006 Zone Labs LLC. All rights reserved.
All other trademarks are the property of their respective owners.