There is a new form of virus/malware making its rounds recently. Its called Mywife.E@MM. It is also known as Nyxem, Blackmal or Kama Sutra worm. It comes in the form of an attachment in an e-mail most likely as a zip file and if the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. It can also spread itself through network shares if they have blank administrator passwords.
This virus has the capabilities to destroy documents on the 3rd of every month. It may modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. The worm adds data to the registry so that the worm runs each time Windows starts. It can destroy all files with the following extensions by overwriting the file:
*.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd, *.dmp
Removal instructions:
Manual Recovery
To manually recover from infection by Win32/Mywife.E@mm, perform the following steps:
First, reboot your computer. This will force the worm into a known configuration where it can be stopped.
Using task manager, look for any of the following process names and kill them if present:
Update.exe
Winzip.exe
scanregw.exe
WINZIP_TMP.exe
"Winzip Quick Pick.exe"
Delete the following files if present on your system:
C:\WINZIP_TMP.exe
%windir%\WINZIP_TMP.exe
%windir%\system32\Winzip.exe
%windir%\system32\Update.exe
%windir%\system32\scanregw.exe
"C:\Documents and Settings\All Users\Start Menu\Programs\Winzip Quick Pick.exe"
Note that the files under %windir%\system32 will be marked read-only and hidden. To delete these from the command prompt, use (for example):
del /f /a:h %windir%\system32\Winzip.exe
Using regedit, delete the following registry value:
'ScanRegistry' under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run (Contents will look like: scanregw.exe /scan)
Reboot your computer, and using Task Manager, verify that none of the processes mentioned above are running.
