Tech Time Warp: Blackworm Offers Rare Chance to Analyze Spread of a Virus
In late January 2006, stopping the worm known as Blackworm (aka Nyxem, MyWife, Blackmal and, interestingly, Kama Sutra) was at the top of most network administrators’ to-do lists.
In general, Blackwork was a fairly typical piece of malware: It primarily spread via email, relying on social engineering to trick unwitting recipients into opening a malicious and purportedly pornographic attachment. Said attachment then unleashed its payload—disabling antivirus software and then, on the third day of the month, finding files with 12 routine file extensions (.doc, .xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp). The files were then replaced with a text string (“DATA Error [47 0F 94 93 F4 K5]”).
Despite its typical manifestation, Blackworm presenting two interesting twists. One, its presence was publicized early by antivirus companies, allowing network admins to take preventive action early. (Security consultants said such early notice had not occurred since the Michelangelo virus in 1992.) Two, each infected computer generated only a single request for a webpage. According to this analysis from the Center for Applied Internet Data Analysis (CAIDA), this meant Blackworm presented a rare opportunity to study the spread of a virus. Researchers were able to ascertain that between 469,507 and 946,835 computers were infected and that at least 45,401 of those were also affected by another form of malware. Blackworm disproportionately infected computers in the Middle East and South America. The webpage reached by the virus featured a web counter, though the counter featured an inflated number of hits once its existence was reported by the media.
Overall, Blackworm didn’t cause too much mayhem on Feb. 3, 2006, but its history is another reminder to install security updates and patches.
Photo: solarseven / Shutterstock