CME-24 (BlackWorm) Users’ FAQ

This FAQ was authored by members of the TISF BlackWorm task force (specifically the MWP / DA groups and the SANS ISC handlers).

The purpose is both to provide with a resource for concerned users and network administrators, as well as to be a level-headed myth-free source on the subject.

There seems to be excessive media hype as well as some “end-of-the-world” type predictions. The end of the world is not coming and most of us will still be here after February 3rd, but this is a serious issue for those who are infected and we didn’t manage to get to.

“300,000 infected users worldwide is not a terribly large amount when compared to previous worms like Sober or Mydoom. However, with this worm it isn’t the quantity of infected users, it is the destructive payload which is most concerning.”
– Joe Stewart, LURHQ.

CME-24 (BlackWorm) Users’ FAQ

Q. What is CME-24?

A. A mass emailing worm with a destructive payload.
Please see
for pointers to antivirus vendor descriptions and analyses relating to
this malware.

Q. I hear about new viruses all the time–what makes this one a “big
deal?”

A. This destructive virus will delete files from a number of popular
programs on February 3rd, and on the 3rd day of the month thereafter.

Files which may be deleted by the malware include files ending with the
extension of DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, ZIP

Another factor that potentially makes this virus particularly noteworthy
is that it has seen broad distribution, with the estimated infected
machines in the hundreds of thousands.
LURHQ statistics

Another factor that potentially makes this virus noteworthy is it’s self
defense mechanism. It closes windows if the caption has any of the
following strings in it. SYMANTEC, SCAN, KASPERSKY, VIRUS, MCAFEE, TREND
MICRO, NORTON, REMOVAL, or FIX. So many antivirus programs, scanners
etc… can not be updated or used on a system that is infected with
CME-24.

Q. You refer to this virus/worm as CME-24 — that’s not what *my*
antivirus vendor calls it. What other names does CME-24 use?

Vendor            Malware Name

Authentium        W32/Kapser.A@mm
AntiVir           Worm/KillAV.GR
Avast!            Win32:VB-CD [Wrm]
AVG               Worm/Generic.FX
BitDefender       Win32.Worm.P2P.ABM
ClamAV            Worm.VB-8
Command           W32/Kapser.A@mm (exact)
Dr Web            Win32.HLLM.Generic.391
eSafe             Win32.VB.bi
eTrust-INO        Win32/Blackmal.F!Worm
eTrust-VET        Win32/Blackmal.F
Ewido             Worm.VB.bi
F-Prot            W32/Kapser.A@mm (exact)
F-Secure          Email-Worm.Win32.Nyxem.e
Fortinet          W32/Grew.A!wm
Ikarus            Email-Worm.Win32.VB.BI
Kaspersky         Email-Worm.Win32.Nyxem.e
McAfee            W32/MyWife.d@MM
Nod32             Win32/VB.NEI worm
Norman            W32/Small.KI (W32/Small.KI@mm)
Panda             W32/Tearec.A.worm (W32/MyWife.E.Worm)
QuickHeal         I-Worm.Nyxem.e
Sophos            W32/Nyxem-D
Symantec          W32.Blackmal.E@mm
Trend Micro       WORM_GREW.A (Worm_BLUEWORM.E)
VBA32             Email-Worm.Win32.VB.bi
VirusBuster       Worm.P2P.VB.CIL

(source: AV-Test.org)

Q. What is CME?

A. CME provides single, common identifiers to new virus threats to reduce public confusions during malware outbreaks. CME
is not an attempt to solve the challenges involved with naming schemes for viruses and other forms of malware, but instead aims to facilitate the adoption of a shared, neutral indexing capability for malware.

Q. How do people get infected with CME-24?

A. Known methods for infection include infected email attachments and
network shares, however other mechanisms are also possible.

While some areas of the world appear to be more prone toward infection
than others, it appears that infected systems may be found in virtually
all countries.

Q. What should I do to protect myself from getting infected with CME-24?

A. There is a number of things you can do:

Email attachments can contain viruses.

If your Internet Service Provider provides an email scanning service
subscribe to it.

Do not open attachments without first verifying that a trusted sender
intentionally sent it to you by asking them if they sent you an
attachment.

Scan email attachments before opening them.

Do not open emails that claim to have naughty content. This is a common
trick used by email based viruses.

Backup your system!
You should be routinely making backups of your system. If you’ve been
putting it off, do it now. Backups will be a foundation that will help
you recover if your system does get infected. Backups are the most
reliable way to recover your data in the event of any data corruption

event, virus, malware, or hardware failure.
Note that your backup should be taken to non-rewritable media and/or
stored offline. If you do not make your backup to non-rewritable or
offline media, depending on the format you use; your backups might be at
risk from the malware’s destructive payload. This is particularly true
if you currently backup important files into a zipped archive, use
mirrored hard drives, or file shares none of those will protect you from
the destructive potential of this worm.

On new systems create recovery CDs. Many systems sold today do not come
with recovery CDs. The person purchasing the system is expected to
create them. Consult manufactures documentation for details.

Insure that you have antivirus software installed, and that you have
up-to-date antivirus definitions covering this particular malware. Do a
full system scan and confirm that you are not infected with CME-24 or
other malware. If you are infected, seek professional assistance to fix
the problem at once.

Do not unnecessarily share or mount shareable filesystems. Filesystems
should never be made available via weak or non-existant passwords.

Q. Help, I think I have been infected with CME-24. What should I do now?

A. If you have anti-virus software installed verify that it is up to
date. Check with your anti-virus vendor if you are unsure of how to do
this. If you had anti-virus software that you believe was disabled by
CME-24 you may have to uninstall it before re-installing it.

If you do not have anti-virus software installed there are several
anti-virus products that offer free or trial tools.

Av-test.org maintains a list of antivirus products.
http://www.av-test.org/sites/links.php3?lang=en&extra=viren&sort=1
and West Coast labs at
http://www.westcoastlabs.org/cm-av-list.asp?Cat_ID=2
and ICSA
https://www.icsalabs.com/icsa/product.php?tid=dfgdf$gdhkkjk-kkkk.

Some of these vendors offer free online scans as well. Be aware online
scanners usually require activex or java be enabled, may take a long
time and probably require admin privileges. Online scanners also do not
provide any long term protection against reinfection

If you’ve already been infected, you should seek professional help to
deal with that infection at once. Failure to deal with this malware
prior to the 3rd day of the month can result in data loss.

Q. Some very important file was trashed by the worm. I really need to
get the information that was in that file. I don’t have a clean backup.
What can I do? Can I get back at least part of that file?

A. Possibly, some file recovery tools might recover all or part of the
missing data. A data recovery service may be your be able to assist.

Q. Why would someone do something so tremendously stupid and
destructive?

A. Unless the author comes out and tells us we may never know why.

Q. I run Windows Media Center Edition, Mac OS X, Linux, have a Treo,
etc. Is my system at risk? Or is this just a Windows XP thing?

A. This virus only affects Windows operating systems. It affects nearly
every version of windows.

From:
Microsoft’s Security Encyclopedia

Windows NT 3.x/4.0, 95, 2000, XP, Server 2003, ME and 98 are all
potentially affected.

NETWORK ADMINISTRATORS PORTION

Q. I’m a mail server administrator. How can I protect my customers
from CME-24 and other malware?

A. There are several things you may want to do:

You may want to run a server-side antivirus program, or software to
strip or defang potentially dangerous attachments. Under Unix, ClamAV
ClamAV is one example of a free antivirus program that
you can run on your mail server; Procmail Email Sanitizer
Impsec
is an example of a program that you can run to remove or defang
potentially hostile attachments. Under Windows there are several email
scanning antivirus programs available.

You should also endeavor to accept, process and resolve notifications
you may receive about infected customers. Confirm that you have a
working abuse@ address, a working postmaster@ address, and current
whois contact information for your domain(s). See
RFC 2142 for clarification.

If you have netblock(s) that have been assigned to you via SWIP or
whois, or an autonomous system number (ASN), please make sure that you
have current abuse reporting contact information defined in whois for
those resources as well.

If you operate an intrusion detection system, consider running
the Bleeding Snort rules that may help you to identify potentially
infected customers.
Bleeding Snort Rules

Educate your customers about security effective practices.

Site license an antivirus product and distribute it to your customers.

Encourage customers to routinely apply patches.

Encourage customers to use a software and/or hardware firewall.

Encourage customers to routinely backup their systems.

Where terms of service and applicable law permits, scan customer systems
for vulnerabilities and insure that customers get fixed or removed from
the network.

This document was prepared by the TISF BlackWorm task force which
includes many elements in the security communities including: anti spam
groups, CERTs, anti-virus teams, academia, law enforcement, and ISP’s.

The TISF BlackWorm task force would like to thank all the contributors
to this FAQ including: Members of the DA/MWP groups and The Internet
Storm Center handlers.

Original can be found at:
SANS ISC
SecuriTeam Blogs

Share
  • http://isd.alabama.gov Lane

    I read in different places about the DoS attack it does. Is this a myth? If it does have a DoS componant, please let me know it’s characteristics.

    Thanks,
    Lane

  • sunshine

    The worm performs an Internet availability check by going to microsoft.com. It may appear like a DDoS, but it isn’t.
    :)

  • Dan

    I appreciate the information that you have available on you blog site. I would like to bring to your attention a discrepancy in two AV vendors descriptions of the CME-24 virus payload. I was wondering if anyone had any definitive information about the nature of the payload, specifically if it is able to corrupt files across mapped drives.

    I have tested this in my lab, and have seen the virus corrupt files on the local drive but not on a mapped drive. Which vendor is supplying their customers with the correct information?? We feel that it is a significant problem if the information that an AV vendor provides is incorrect, and would need to be corrected.

    Please see the attached vendor quotes.

    From F-Secure’s Blog: http://www.f-secure.com/weblog/#00000797 February 1, 2006 10:46am ET

    “When Nyxem activates, it will overwrite all of your DOC/XLS/PPT/ZIP/RAR/PDF/MDB files. This is nasty, as this is done on all mounted drives, ie. any drive that has a drive letter. So it might affect your USB thumb drives, external hard drives and network drives! Also, if you’re taking daily automatic backups you might end up backing up the corrupted files over good files.”

    From McAfee: http://vil.nai.com/vil/content/v_138027.htm February 1, 2006 11:00am ET

    “Date Activated Payload

    On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text “DATA Error [47 0F 94 93 F4 K5]“:

    DOC
    XLS
    MDB
    MDE
    PPT
    PPS
    ZIP
    RAR
    PDF
    PSD
    DMP
    Testing confirms that this payload does not affect mapped network drives.”

    I have asked this question many times and continue to get conflicting reports.

    Does anyone know the answer to this question??

  • Pingback: dmiessler.com | blog

  • Pingback: Sergio Hernando » Alerta: CME-24 aka Kama Sutra

  • Pingback: Waterloo Systems

  • Pingback: Benjamín Gálvez, Weblog. » Día 3 de cada mes, activacin del gusano “Kama Sutra”.

  • chandu

    DATA Error [47 0F 94 93 F4 K5]
    can *.doc that can be recoverd if it is please mail me how?

  • bharat

    When your system is infected by the latest virus named w32.blackmal.e or mywife.e.if you are working in th ebig organisation and working on win2000 first thing you neeed to do is to stop your Admin$ drives share.
    Open Regedit

    For Server – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \
    make a Dword Key named autoshareserver with value “0″ to disable drive share like C$,Admin$ etc

    For Workstation – HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters \
    Make a dword value named AutoShareWks with value “0″ sure this will prevent Your system from infection.

    Rgds
    Bharat
    Bharat123002@yahoo.com
    9811130606

  • http://networksecurity.typepad.com/ Juha-Matti Laurio

    Internet Storm Center has released some recovery instructions and links to several recovery tools at their Diary page on Saturday:
    http://isc.sans.org/diary.php?storyid=1096

  • SIVA

    dear all,

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.

    regds, siva
    sivahclinsysrnc@yahoo.com

  • sunshine

    I posted a bit on data recovery from this worm:
    http://blogs.securiteam.com/index.php/archives/273

  • sunshine

    CAIDA analysis on CME-24/BlackWorm:
    http://blogs.securiteam.com/index.php/archives/275

  • giftvijay

    Please help us

  • http://www.cmitelecom.com Deba

    When i open my files it shows DATA Error [47 0F 94 93 F4 K5]. all my data in those file has been lost. please help me out how can i recover all my lost data.

    thank u
    Deba
    info@cmitelecom.com

  • http://blogs.securiteam.com/index.php/archives/260 nirtanjai

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.

    regds

  • cudet

    I lost all my data… Can someone advise me on how could i recover back all the data pls….

  • Pingback: SecuriTeam Blogs » It is the second day of BlackWorm

  • noel

    hello pls. help me i got stuck with this DATA Error [47 0F 94 93 F4 K5] and all my dociments, pdf files, .ppt files, .rar files get corrupted. pls help me pls. tnx. more power…

  • ramesh

    I had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.Because 10 years documents stored in my system. I have to recover that .doc, .xls Pls again

    regds

  • Sidharatha

    SOS SOS SOS! Pls help me on the DATA Error [47 ------ K5] . My XP based machine has converted my files to 1 Kb. off-course cost free solutions or under betalevel

    Sidharatha

  • sathya

    i had lost my data in .doc .xls files it contains error message that data error [47 0F 94 93 F4 K5]
    i lost the data can you tell me how can i protect for this and the method or tool to recover my lost data

  • arun

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.

    regds

  • Gopi

    i had lossed my DOC and XLS file please help me how to get all my data pls help me

  • Gopi

    i had lossed my DOC and XLS file. when i open that file DATA ERROR 47 OF 94 93 F4 K5 this msg it will display please help me how to get all my data pls help me

  • Nurtan

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.

    regds

  • Rauf Mulani

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.

    any one knows ans for this , pls help me.

  • pawan jain

    i have lost my all doc and xls files
    any one who help me error shows
    DATA Error [47 0F 94 93 F4 K5]

    pls pls help us

  • Ramswaroop

    when i want to open my .DOC and .EXL files the massage appare data error(47 0f 94 93 f4 k5)and i can not see my enteries.what should i do,plz help me .

  • Ankit Doshi

    Hi,
    My System is infected with the BlackWorm.I need to revocer my infected File Pls give me some solution.
    Bye.

  • http://www.transformsolution.net dhaval

    When i open my files of excel and access shows DATA Error [47 0F 94 93 F4 K5]. all my data in those file has been lost. please help me out how can i recover all my lost data.
    please send me solution as soon as possible

    thank u

  • Pablo

    Hi!, Pleaseeee!!! I need Help. Apparently, this worm CME-24, has inffected a machine, that insn’t mine!!! The problem is that it’s using my mail address to auto-send mail containing the virus to some of my contacts. I scan al my computer, and I don’t have any inffection, so I has to be another computer, some computer that I must sended a mail (cause the virus uses my address. PELASEEEE I need to know what to do!!!!! Can`t I do anything to stop this virus use my e-mail adress? many of my contacts deleted me from thier contacts to stop recibing this mails.
    Pelase, answer to my e-mail, Thaks

  • francis

    dear all,

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.

    regds, siva

  • kaushik

    i had lossed my .doc,.xls,.ppt,.pdf files due to worm virus.
    when ever i opening that file data error “(47 0f 94 93 f4 k5)” this msg it will display.
    any one knows ans for this , pls help me.
    mail me on
    kaushikb2005@yahoo.co.in

    Thanx

    regds
    kaushik

  • umesh

    plz, help me–help me my all .doc,.xls,.ppt,.pdf
    being corrupted and shows only 1 kb in size whenever i open it always shows the following error “DATA Error [47 0F 94 93 F4 K5]” .
    plz, help me via e-mail

  • Pingback: iPod Downloads

  • http://psponlineinfo.com/ PSP Games

    Dude,

    I lossed my .doc,.xls,.ppt,.pdf files due to worm virus. Anyone know knows how I can get this back?

    Thanks,

    AllieK

  • http://www.psp-download-universe.info Rich H.

    Wow, I never realized how serious this really is?

  • http://www.psp-download-universe.info PSP Game Downloads

    Wow, I never realized how serious this really is.

  • http://ipodmusicdownloads.info Ipod Music Downloads

    I lost all my data… Can someone advise me on how could i recover back all the data pls….

  • vikram

    Dear
    On the fourth day of every month the worm resets the content of files with specific extension. It searches for files on the hard disk with the following extensions and replaces their contents with “DATA Error [47 0F 94 93 F4 K5]“:
    *.doc
    *.xls

    The first time the worm will corrupt the content of those files is on DECEMDER 4rd, 2007

    and TODAY 4 jan 2008 same problem
    GIve solution

  • dipti

    i forgot my password how to recover my excel protected file.