Discovered on January 17, 2006, the Nyxem (also known as Blackmal) worm has a dangerous payload that executes on the 3rd of each month, overwriting files with specific extensions - replacing the data in those files with the following text:

DATA Error [47 0F 94 93 F4 F5]
The targeted extensions are:

• DMP
• DOC
• MDB
• MDE
• PDF
• PPS
• PPT
• PSD
• RAR
• XLS
• ZIP

The Nyxem worm has several aliases (in fact, no two antivirus vendors seem to agree on a name for this threat).


Aliases include: W32/Nyxem-D (Sophos), WORM_GREW.A (Trend Micro), Email-Worm.Win32.VB.bi (Kaspersky), W32/MyWife.d@MM (McAfee), Nyxem.E (F-Secure), W32/Small.KI@mm (Norman), Win32/Blackmal.F (Computer Associates), VB.NEI (Eset), W32.Blackmal.E@mm (Symantec), and Tearec.A (Panda). In addition, the media and some fringe security groups have nicknamed the worm "Kama Sutra" and/or the "Blackworm".

The Nyxem worm is a mass-mailing email worm that uses a variety of subject lines, some of which are quite provocative. Subject lines include:

• The Best Videoclip Ever
• School girl fantasies gone bad
• A Great Video
• Fuckin Kama Sutra pics
• Arab sex DSC-00465.jpg
• give me a kiss
• *Hot Movie*
• Fw: Funny :)
• Fwd: Photo
• Fwd: image.jpg
• Fw: Sexy
• Re:
• Fw:
• Fw: Picturs
• Fw: DSC-00465.jpg
• Word file
• eBook.pdf
• the file
• Part 1 of 6 Video clipe
• You Must View This Videoclip!
• Miss Lebanon 2006
• Re: Sex Video
• My photos

It is the nature of some of the subject lines that led to the nickname, the "Kama Sutra worm". The message body may be equally suggestive.

Examples of the Nyxem worm's message body include:

• Note: forwarded message attached. You Must View This Videoclip!
• >> forwarded message
• Re: Sex Video i just any one see my photos.
• It's Free :)
• The Best Videoclip Ever
• Hot XXX Yahoo Groups
• Fuckin Kama Sutra pics
• ready to be FUCKED ;)
• forwarded message attached.
• VIDEOS! FREE! (US$ 0,00)
• What?
• i send the file.
• Helloi attached the details.
• Thank you
• the file i send the details
• hello,
• Please see the file.
• how are you?
• i send the details.

As with most other worms, Nyxem attempts to disable antivirus and security software found running on impacted systems. Nyxem does so by deleting registry keys and files associated with several popular antivirus and security products, as well as forcibly closing application windows that contain the strings Symantec, Scan, Kaspersky, Virus, McAfee, Trend Micro, Norton, Removal, or Fix in their caption title.

An excellent defense against such tactics is to keep an antivirus CD on hand, which can be used to scan the system in safe mode. See How to Make an Antivirus CD for details.