Blackmal/Blackworm Alert

infectionvectors.com

September 2004

Vector:             Email attachment

Impact:             Low (consumes local resources, generates mail traffic)

Blackmal (Symantec) is also known as MyWife (Panda), Bluworm (Trend) and Blackworm, the latter is found in the code of the worm, one of the files it gerneates, and is used as part of one routine (changing the user name for WinZip to “Blackworm”). This alert was generated in response to 2 new variants being detected in rapid succession.

The mass mailer searches for addresses in the Yahoo Pager, MSN Messenger, and DBX/HTM files. It attempts to kill a few specific antivirus/security applications as well (Norton, McAfee, Trend antivirus and Deep Freeze software).

Blackmal.C and D can be identified by the following From fields:

ack_back06@mail.com

admin@newmovies.com

gustes@msn.com

hot_woman2362@freevideos.net

King_sexy@hotmal.com

linda200@gmail.com

lost_love705@yahoo.com

sandra@oxygen.com

thomas_gay6@iopus.com

user377@worldsex.com

And the following Subjects:

For all

Hello

please reactive

Please reactive now

Please reactive now.

Thank you

Thanks

Update

Blackmal.C and D also delete Registry values associated with other worms, mostly mass mailers such as Beagle and MyDoom. The worm drops a number of files including a pornographic image file (life.jpg), a rant against Microsoft (about_blackworm.c.txt), an advertisement for a music/movie site (about.txt, music09.rm, etc.) and the files used by Blackmal to carry out the malicious actions. The worm arrives as a compressed archive, TGZ, ZIP, Z, or GZ.

Blackmal’s return is interesting as it is another worm that has taken aim at successful mass mailers Beagle, MyDoom, and MiMail (similar to Atak and Frammy earlier in the summer) just as it did in March of 2004 with its original version. The worm’s first release also contained a very well written fake email supposedly from “Norton AntiVirus” as one of the possible message bodies. The others were all of a pornographic nature. The author has toned down the content slightly this time, with the obvious exception of actually attaching a picture, possibly in hopes of compromising more machines with a simple message (in the same vain of one of the worm’s chosen competitors, Beagle).