1. Symantec/
  2. Security Response/
  3. W32.Blackmal.E@mm


Risk Level 2: Low

January 17, 2006
February 13, 2007 12:50:39 PM
Also Known As:
CME-24, Win32.Blackmal.F [Computer Ass, Email-Worm.Win32.Nyxem.e [F-Se, Email-Worm.Win32.Nyxem.e [Kasp, W32/MyWife.d@MM [McAfee], W32/MyWife.d@MM!M24 [McAfee], Win32/Mywife.E@mm [Microsoft], W32/Small.KI@mm [Norman], Tearec.A [Panda Software], W32/Nyxem-D [Sophos], WORM_GREW.{A, B} [Trend Micro]
Systems Affected:

W32.Blackmal.E@mm is a mass-mailing worm that attempts to spread through network shares and lower security settings. On the third day of every month it attempts to rewrite files with certain extensions with custom text.

High level detection - Here are some symptoms that may help determine the presence of W32.Blackmal.E@mm.
  1. Uses its own SMTP engine to send an email with a copy of itself as an attachment.

    Look for non-mail server machines sending port 25 traffic

  2. Enumerates the computers in the same domain as the host computer by using WNetOpenEnum. The worm then executes the command "net use \\[COMPUTER NAME] /user:administrator """ to connect to that computer. However, if the user on the compromised computer is already connected to some other network computer, the worm will be able to use that connection.

    Look for locked user accounts due to brute password attacks

  3. Attempts to access the following URL: [http://]webstats.web.rcn.net/[REMOVED]/Count.cgi?df=765247

    Look for any computer that accessed this website. Isolate and use the repair tool or scan with updated defs

Antivirus Protection Dates

  • Initial Rapid Release version January 17, 2006
  • Latest Rapid Release version January 15, 2018 revision 004
  • Initial Daily Certified version January 17, 2006
  • Latest Daily Certified version January 4, 2018 revision 001
  • Initial Weekly Certified release date January 17, 2006
Click here for a more detailed description of Rapid Release and Daily Certified virus definitions.
Writeup By: Rodney Andres

Search Threats

Search by name
Example: W32.Beagle.AG@mm
STAR Antimalware Protection Technologies
2016 Internet Security Threat Report, Volume 21
  • Twitter
  • Facebook
  • LinkedIn
  • Google+
  • YouTube