Secure Most Provide you most reliable security utilities!
Home Articles File Center Privacy Contact us Links
Now Position: Home>Tech Articles>Free Invasion from Worms
How to Detect and Remove Blackmal.B Worm Virus?
What is Blackmal.B worm and How Did I Get It?

Blackmal.B is a minor variant of Blackmal.A.

The two worms differ in:

  • The size of the worm
  • Some of the possible viral file names
  • And the email subjects and messages that the worm creates.

    The major viral behaviors of both variants are identical.

Also known as: W32/MyWife.b@MM, I-Worm.Nyxem.B, W32/Nyxem-B, WORM_BLUEWORM.B

When Blackmal.B runs, it does the following:

  1. Creates a %Windir%\TEMPORARY folder and sets the Hidden attribute.

  2. Copies itself as the following files, sets their attribute as Hidden and Read-only, and then executes one of them.
    • %System%\BlackWorm.exe
    • %System%\<random_file_name1>
    • %Windir%\TEMPORARY \<random_file_name2>
    • %Windir%\Win 32.com or %Windir%\Win.exe

  3. Copies itself as multiple .src files, or archives itself as a .zip or .tgz file, and then drops them in the %System% folder.

    The files will use any of the following file names:
    • WebCam.MPEG
    • suck[7].MPEG
    • April.MPEG
    • Video2.MPEG
    • Julia.MPEG
    • juanita.MPEG
    • F***ing.MPEG
    • Sex[4].MPEG
    • Frinds.MPEG
    • Ricky.MPEG
    • Cluley.MPEG
    • Sexual.MPEG

      with one of the following file extensions that are preceded by underscores:

      _________________________________________________________.exe
      _________________________________________________________.scr

      or:
    • BlackDog
    • April
    • Video
    • JuliaRoberts
    • BigF***
    • sucking
    • Hilton
    • shkira1990
    • Vclip2
    • F***GIRL
    • RickyMartin
    • AssClip
    • Sex

      with one or two of the following file extensions:
    • .zip
    • .tgz
    • .taz
    • .z
    • .tz
    • .gz

  4. Creates shortcuts to the previous files in the C:\Documents and Setttings\<current user>\Recent folder.

  5. Creates a file named Media.Temp.Mpeg in the %Temp% folder, and then attempts to open Windows Media Player.

  6. Creates and registers the following .dll files so that the worm can spread itself through email:
    • OSSMTP.dll
    • Oswinsck.dll

  7. Adds the values:
    • "<random_file_name1>.exe"="%System%\<random_file_name1>.exe"
    • "(default)"="%Windir%\TEMPORARY \<random_file_name2>.exe"

      or:
    • "(default)"="%System%\<random_file_name1>.exe"
    • "<random_file_name2>.exe"="%Windir%\TEMPORARY \<random_file_name2>.exe"

      to the registry keys:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \RunServices
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \RunServices

      so that the worm runs when Windows starts.

  8. Adds the value:

    "Default"="C:\WINNT\System32\<random_file_name1>.exe"

    to the registry keys:
    • HKEY_CURRENT_CONFIG\Software\Microsoft
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft

  9. Adds the value:

    "Default"="C:\WINNT\TEMPORARY\<random_file_name2>.exe"

    to the registry keys:
    • HKEY_CURRENT_CONFIG\Display\Fonts
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Display\Fonts
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Display\Fonts

  10. Creates the following keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.Attachment
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.CustomHeader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.SMTPSession
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oswinsck.TCP
    • HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EF49731F-24F2-11D4-BDD0-00104BFEC09F}
    • HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{57506911-EDA2-4815-810B-7C55A685DA51}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5FB91338-D8D6-4431-B490-8388D37AFE96}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A24154AB-E52F-4F9F-91A0-4E3E243BEDBE}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A34B63B9-8FD8-4004-BED1-4E6E587B5175}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BF257289-25B8-11D4-BDD0-00104BFEC09F}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-IDEA85AAA772}

  11. Deletes the values:
    • "NPROTECT"
    • "ccApp"
    • "ScriptBlocking"
    • "MCUpdateExe"
    • "VirusScan Online"
    • "MCAgentExe"
    • "VSOCheckTask"
    • "McRegWiz"
    • "McVsRte"
    • "PCClient.exe"
    • "PCCIOMON.exe"
    • "pccguide.exe"
    • "PccPfw"
    • "tmproxy"
    • "McAfeeVirusScanService"
    • "NAV Agent"
    • "PCCClient.exe"
    • "SSDPSRV"
    • "Taskmon"
    • "KasperskyAv"
    • "system."
    • "msgsvr32"
    • "Windows Services Host"
    • "Explorer"
    • "Sentry"
    • "ssate.exe"
    • "winupd.exe"
    • "au.exe"
    • "gigabit.exe"
    • "Norton Antivirus AV"
    • "SysMonXP"
    • "sysinfo.exe"
    • "Microsoft System Checkup"
    • "ICM version"
    • "Microsoft IE Execute shell"
    • "Winsock2 driver"

      from the registry keys:
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion
      \RunServices
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \RunServices

  12. Attempts to delete all the files or executables in the following folders:
    • %Program Files%\Norton AntiVirus\
    • %Program Files%\McAfee\McAfee VirusScan\Vso\
    • %Program Files%\Trend Micro\PC-cillin 2002\
    • %Program Files%\Trend Micro\PC-cillin 2003\
    • %Program Files%\Trend Micro\Internet Security\
    • %Program Files%\Symantec\LiveUpdate\

      so that the software cannot run to detect the worm.

  13. Performs a Distributed Denial of Service (DDoS) attack against www.nymex.com.

  14. Enumerates network shares and attempts to copy itself to the open shares.
How to Remove the Blackmal.B Worm?

Kaspersky Internet Security Can Prevent You From Virus and Intrusion. If Kaspersky detects Blackmal.B during the scan, it will AUTOMATICALLY offer you the option of deleting it. Do this by following the program's instructions.

Follow these steps in removing the Blackmal.B worm.

1. Disabling System Restore (Windows Me/XP)

For instructions on how to turn off System Restore, read your Windows documentation, or one of the following articles: "How to disable or enable Windows Me/XP System Restore".

2. Restarting the computer in Safe mode or VGA Mode
Shut down the computer and turn off the power. Wait for at least 30 seconds, and then restart the computer in Safe mode or VGA mode.
  • For Windows 95, 98, Me, 2000, or XP users, restart the computer in Safe mode.
  • For Windows NT 4 users, restart the computer in VGA mode.
3. Reversing the changes made to the registry
  1. Click Start, and then click Run. (The Run dialog box appears.)
  2. Type regedit

    Then click OK. (The Registry Editor opens.)

  3. Navigate to the following keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion
      \RunServices
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \Run
    • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion
      \RunServices

  4. In the right pane, delete the following values:
    • "<random_file_name1>.exe"="%System%\<random_file_name1>.exe"
    • "(default)"="%Windir%\TEMPORARY \<random_file_name2>.exe"

      or:
    • "(default)"="%System%\<random_file_name1>.exe"
    • "<random_file_name2>.exe"="%Windir%\TEMPORARY \<random_file_name2>.exe"

  5. Navigate to the following keys:
    • HKEY_CURRENT_CONFIG\Software\Microsoft
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Software\Microsoft
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Software\Microsoft

  6. In the right pane, delete the value:

    "Default"="C:\WINNT\System32\<random_file_name1>.exe"

  7. Navigate to the following keys:
    • HKEY_CURRENT_CONFIG\Display\Fonts
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\0001\Display\Fonts
    • HKEY_LOCAL_MACHINE\System\CurrentControlSet\Hardware Profiles\Current\Display\Fonts

  8. In the right pane, delete the value:

    "Default"="C:\WINNT\TEMPORARY\<random_file_name2>.exe"

  9. Delete the following keys:
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.Attachment
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.CustomHeader
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\OSSMTP.SMTPSession
    • HKEY_LOCAL_MACHINE\SOFTWARE\Classes\oswinsck.TCP
    • HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{EF49731F-24F2-11D4-BDD0-00104BFEC09F}
    • HKEY_LOCAL_MACHINE\Software\Classes\TypeLib\{AA987BF8-E849-4996-9335-413DF4A8158A}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{57506911-EDA2-4815-810B-7C55A685DA51}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{5FB91338-D8D6-4431-B490-8388D37AFE96}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A24154AB-E52F-4F9F-91A0-4E3E243BEDBE}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{A34B63B9-8FD8-4004-BED1-4E6E587B5175}
    • HKEY_LOCAL_MACHINE\Software\Classes\Interface\{BF257289-25B8-11D4-BDD0-00104BFEC09F}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{0A1C811C-88FF-493B-98A9-83B4A649ACD9}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{BB81FA79-DCD7-48A6-A710-A85BD5ED9640}
    • HKEY_LOCAL_MACHINE\Software\Classes\CLSID\{C2A3FF36-C3A5-4334-968C-IDEA85AAA772}

  10. Exit the Registry Editor.

  11. Restart the computer in Normal mode.

4. Updating the virus definitions

If you do not know which anti-virus software can provide strong protection for you, Kaspersky Internet Security is recommended.

5. Scanning for and deleting the infected files

  1. Start your Kaspersky Internet Security and make sure that it is configured to scan all the files.
  2. Run a full system scan.
  3. If any files are detected as infected with Blackmal.B, click Delete.
How to Disinfect My Computer from Worms?

In order to keep your computer protected, bear the following tips in mind:

  1. If you have filtering tools installed, configure them to reject messages with the characteristics described above. If, in spite of doing this, you receive the message that contains the virus: do not open it, do not run the attached file and delete it, making sure that you also delete it from the Deleted Items folder.
  2. Install a good antivirus in your computer. Select Kaspersky Internet Security to get the Kaspersky antivirus solution that best suits your needs.
  3. Keep your antivirus updated. If automatic updates are available, configure your antivirus to use them.
  4. Keep your permanent antivirus protection enabled at all times.
Detect and Removal Instruction for Other Worms - 'B':
More Detection and Removal Instructions for Worms
Sign up for free up-to-date messages about your PC's security & privacy:
              Email
Confirm email
     Your Name    
 Anti-Keylogger  Password Pecovery
 Anti-Spam  PC Monitoring
 Anti-Spyware  Personal Firewall
 Anti-Virus  System Tools
 Online Privacy    
PQ DVD to iPod Video Suite
PQ DVD to iPod Video Suite (PQ DVD to iPod + iPod Video Converter) is a One-Click, All-In-One solution to convert DVD, Tivo, DivX, MPEG, WMV, AVI, RealMedia and many more to iPod Video ...
Kaspersky Internet Security
Internet Security processes all incoming and outgoing data on your computer, including email, Internet traffic and network interaction, without the need for additional security applications ...
Cucusoft MPEG/AVI to DVD/VCD/SVCD Converter Pro
It enables you to convert and burn any video file directly to VCD, DVD, SVCD, MPEG1 and MPEG2 format. Pro version included all the features of the lite version ...
FREE Spyware Scan! SpyNoMore
SpyNoMore scans, cleans and blocks spyware as well as any other good anti-spyware product, but with one big advantage, Custom Fix (patent pending). Spyware programs are growing more sophisticated by the day ...
Copyright ©2003-2009 SecureMost.com. All other trademarks are the sole property of their respective owners.