counter free hit unique web
Home Company Solutions Markets Partners News and Events Client Login Knowledge Center Contact

 NEWS & EVENTS
 
 In The News
 Press Releases
 Webinars
  

 

NewsLetter Sign Up button



 


Perimeter Security Bulletin

 

 

Perimeter Security Bulletin
Date: 02/02/06
Subject: Blackworm Set To Launch


This alert was sent to Perimeter's clients to notify them of a potential outbreak of worm activity that has been spreading across the Internet over the last few weeks and within the next 24 hours infected hosts will likely suffer from autonomous file deletions. The following bulletin is meant to provide you with information about the worm and the steps that Perimeter Internetworking has taken to protect its customer base. To find out more about Perimeter's
Anti-Virus Solutions please contact us at 800.234.2175. Option #2.

About Blackworm
Blackworm and its variants are memory-resident worms that propagate by sending copies of itself as attachment to email messages that it sends to target addresses, using its own Simple Mail Transfer Protocol (SMTP) engine. Through this SMTP engine, it is able to easily send the said email messages even without using other mailing applications, such as Microsoft Outlook.

Blackworm infects systems through users opening attachments with the following extensions: pif, plf, and MIME - b64, BHx, HQX, mim, uu, UUE, XxE

It also propagates via network shares. It does the said routine by searching the network for certain shares, where it can drop a copy of itself.

This worm deletes auto start registry entries, as well as associated files of several programs, most of which are related to security and antivirus applications. The said routines may cause referenced programs to malfunction, effectively making an affected system more vulnerable to other malicious routines.

In addition, on the third day of every month, this worm overwrites all files with certain extension names 30 minutes after the affected system is restarted.

It is also capable of disabling the mouse and keyboard of the affected system.

The following file types will be overwritten by the worm: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message ('DATA Error [47 0F 94 93 F4 K5]').

End User Protection
Since this worm requires the user to execute an attachment it is recommended that all users take extra caution when dealing with emails that contain attachments with the following extensions: pif, plf, and MIME - b64, BHx, HQX, mim, uu, UUE, XxE

In addition users can exercise the following precautions:

  • Scan email attachments before opening them.
  • Do not open emails that claim to have x-rated content. This is a common trick used by email based viruses.
  • Backup your systems -You should be routinely making backups of your system. Backups are the most reliable way to recover your data in the event of any data corruption event, virus, malware, or hardware failure.
  • Insure that you have antivirus software installed, and that you have up-to-date antivirus definitions covering this particular malware.

Steps taken by Perimeter to Protect Customers from the Blackworm Activity

Desktop AV Customers: All Desktop AV clients that subscribe to Trend's Services were verified to have the most current AV update for their systems. As a precautionary measure the Damage Cleanup Utility from Trend (DCT/DCE) was pushed to the desktop clients to identify and stop any Worm activity that may have infected desktop users from other mechanisms.

Gateway Defender Customers: SMTP Gateways: A global block is already in place that blocks any pif, plf, and MIME - b64, BHx, HQX, mim, uu, UUE, XxE attachments into the SMTP gateways since this worm propagates through these infected attachments.

Intrusion Systems: In addition, signatures have been added to the IDS sensors within the gateway to identify activity associated with this worm. Continuous monitoring is being conducted on the Intrusion detection systems to identify internal IP addresses attempting to make connections to the counter web site used by the worm to track itself.

Firewalls: All outbound activity associated with this website has been blocked at the Internet firewalls.

Email and Gateway AV Services - Perimeter uses partners with multiple AV vendors to perform their Email and Gateway AV services. All vendors have been verified to have the latest signatures in place to detect and quarantine any presence of this worm activity.

Customer Premise (CP) Location Firewall and AV Customers - Customer's subscribing to Perimeter's customer premise managed firewall and AV services received updates to their devices that would quarantine all activity associate with this worm.

Perimeter Worm Statistics
Perimeter has successfully stopped 700 copies of Blackworm infected e-mails at their email gateways within the last 72-hours. This statistic does not account for the majority of pre-protection measures, described above, that Perimeter has taken to protect customer's subscribed to the Gateway defender services.

 

Copyright 2006, Perimeter Internetworking
440 Wheelers Farms Road
Suite 202
Milford , CT 06461
800.234.2175

 
 

© 2008 Perimeter eSecurity™ All Rights Reserved. | Privacy Policy