Wednesday, February 1, 2006 |
15:00 - Sounds like fun
http://isc.sans.org/diary.php?storyid=1067
|
(top) |
When I saw someone posting a warning about this on a board I run, I was on the brink of clicking "Send" on the stern admonishment I was mailing them against spreading hoaxes that have been around since 1998. But then, well, I decided I might as well look. And "Blackworm" seems to be for real.
Over the last week, "Blackworm" infected about 300,000 systems based on analysis of logs from the counter web site used by the worm to track itself. This worm is different and more serious than other worms for a number of reasons. In particular, it will overwrite a user's files on February 3rd.
At this point, the worm will be detected by up to date anti virus signatures. In order to protect yourself from data loss on February 3rd, you should use current (Jan 23rd or later) anti virus signatures. Note, however, that the malware attempts to disable/remove any anti-virus software on the system (and does this every hour while the system is up), so if the machine was infected before signatures were deployed, obviously, that anti-virus software can't be expected to clean up the infection for you.
The following file types will be overwritten by the virus: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP. The files are overwritten with an error message( 'DATA Error [47 0F 94 93 F4 K5]').
Sounds like an excellent excuse to do some backups.
Me, I'll be over here, feigning interest.
|
|