W32.Blackmal.E@mm

W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.



High level detection - Here are some symptoms that may help determine the presence of W32.Blackmal.E@mm.

1. Uses its own SMTP engine to send an email with a copy of itself as an attachment.
   
   Look for non-mail server machines sending port 25 traffic
   
   
2. Enumerates the computers in the same domain as the host computer by using WNetOpenEnum. The worm then executes the command "net use \\[COMPUTER NAME] /user:administrator """ to connect to that computer. However, if the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.
   
   Look for locked user accounts due to brute password attacks
   
   
3. Attempts to access the following URL: [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247
   
   Look for any computer that accessed this website. Isolate and use the repair tool or scan with updated defs

Protection

• Initial Rapid Release version January 17, 2006
• Latest Rapid Release version February 16, 2010 revision 100
• Initial Daily Certified version January 17, 2006
• Latest Daily Certified version February 16, 2010 revision 102
• Initial Weekly Certified release date January 17, 2006

Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.

Threat Assessment

Wild

• Wild Level: Low
• Number of Infections: More than 1000
• Number of Sites: More than 10
• Geographical Distribution: Low
• Threat Containment: Easy
• Removal: Moderate

Damage

• Damage Level: Medium

Distribution

• Distribution Level: High