Forensic tools to s...
 
Notifications
Clear all

Forensic tools to save victoms from latest Virus: Blackmal?

4 Posts
2 Users
0 Likes
516 Views
(@digitalexodus)
Posts: 10
Active Member
Topic starter
 

http//www.securityfocus.com/news/11374

Hey i want to know your guys opinion on the idea of this new and critical threat thats going to start hitting people. After reading that the virus will delete files, im unsure as to what state its leaving these "deleted" files at. Are they recoverable by forensics tools? If so, can forensics tools be the rescue medium for this new threat?

 
Posted : 03/02/2006 9:56 am
(@jsawyer)
Posts: 35
Eminent Member
 

I have included part of the description from F-Secure and a link below for more information. According to them, the contents of the file are overwritten with "DATA Error [47 0F 94 93 F4 K5]". It isn't clear if the entire file is overwritten or just the first part of it. Either way, the data (all or part) is hosed. If I can get a copy of the virus, I will infect a virtual machine later and tell you for sure.

http//www.f-secure.com/v-descs/nyxem_e.shtml

The worm has a dangerous payload. If the date is equal to 3 (3rd of February, 3rd of March, etc) and the worm's UPDATE.EXE file is run, it destroys files with those extensions on all available drives

*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp

The files' contens get replaced with a text string "DATA Error [47 0F 94 93 F4 K5]"

 
Posted : 03/02/2006 11:50 pm
(@jsawyer)
Posts: 35
Eminent Member
 

Check out these posts from F-Secure. I am linking the image in so you can see that it looks like the the file itself isn't overwritten, but the contents of the file are overwritten so those fat 50MB PowerPoint files would now be a couple KB. Overall, it looks like more hype than actual threat just like the WMF flaw.

Damage Figures in India

Nyxem Nothing Happened?


 
Posted : 07/02/2006 11:07 pm
(@jsawyer)
Posts: 35
Eminent Member
 

I really like this blog entry over at Securiteam about recovering files lost to this worm. It also includes a link to SANS' recommendations.

 
Posted : 07/02/2006 11:49 pm
Share: