UNIVERSITY OF SCIENCE AND TECHNOLOGY OF SOUTHERN PHILIPPINES

Claro M. Recto Avenue, Lapasan, Cagayan de Oro City, Philippines

A Case Study on Email Virus – “Nyxem”

A Performance Innovative Task Submitted as

Partial Fulfillment of the Requirements for the
Subject CPE314 – Data and Digital Communication

Submitted to:

Engr. Rodesita Estenzo

Instructor

Submitted by:

Balindres, Eric Jeffrey II, C.

Bachelor of Science in Computer Engineering – BSCPE3A

May 15, 2021

I. Introduction
When a problem is gone, another problem follows. A philosophy in life that can be
compared to how the cyber-world deals with problems. Research and studies increase in
number as they always look into the different problems to solve them, and like a cockroach,
something in the cyber world reproduces fast and even makes another variant. They are called
computer viruses. These viruses can be found anywhere in the cyberspace, and we will focus
on the one that can be found on emails, email viruses.
Email viruses are one of the most dangerous types of malware. These type of viruses
excitedly wait for a host to open the email they are attached to and attack once they are opened
or an attachment is opened. They damage everything and may delete everything, and that essay
paper that you are writing in the Microsoft Word could be at risk, and even your email inbox.
An alarming email virus is one that is commonly called Nyxem.
What happens when you are infected with the Nyxem Email Virus? The spread of these
viruses are still extremely difficult to track due to their mechanism of the spreading. The virus
is distributed through email and when opened, it targets your documents. The virus then can
spread to network shares mounted on the infected computer, and then attempts to disable
antiviruses installed and then for its spreading mechanism, it looks for other email address to
spread itself. Not only that, it has a scheduled action that destroys files. On every third day of
every month, it searches for common file extensions, most of which are document files (.doc,
.xls, .mdb, .mde, .ppt, .pps, .zip, .rar, .pdf, .psd, and .dmp) on available drives and damages
them.
This paper will discuss more analysis and detailed studies about the Nyxem Email
Virus and a realistic approach on how it can affect the infected computers. This paper will also
demonstrate the countermeasures of this virus through manual removal and how it can be
prevented.
II. Background of the Case: The Infected
The Nyxem email virus was discovered in the year 2006 in January, and the first run of
the document deletion process happened on the 3rd of February 2006. This virus depended on
the host, to open means infection of the computer. This virus comes in many names:
Blackworm, Grew.a, Grew.b, Blackmal.e, Nyxem.e, Nyxem.d, Mywife.d and Kama Sutra
virus.
The spreading mechanism of this virus is easy to understand but difficult to find. When
it comes to the part where it finds email addresses to spread itself, it actually finds legitimate
email addresses that is found in the computer and sends it to them, for which the next computers
are the new breeding ground of the virus. Nyxem-infected computers generate a single HTTP
request where a statistics page is displayed. HTTP requests can be tracked, and the virus author
makes good advantage of this so that he can check the progress of the spread. This is evident
on the study conducted by Moore and Shannon published on CAIDA.org.
This Nyxem virus is very destructive and is programmed to delete the targeted files on
the third of every month. The target files include:
• DMP - Oracle files
• DOC - Word document
• MDB - Microsoft Access
• MDE - Microsoft Access/Office
• PDF - Adobe Acrobat
• PPS - PowerPoint slideshow
• PPT - PowerPoint
• PSD - Photoshop
• RAR - Compressed archive
• XLS - Excel spreadsheet
• ZIP - Compressed file

Trying to debunk the origins of the Nyxem virus, the security researchers had a very
good idea of the concentration of such virus. Through the webpage that is associated with the
virus, there were able to identify the location of the concentration of more than 300,000
computers. This helped the researchers in generating the statistics. On the early analysis, the
identified, highly-infected countries are: India, Peru, and Italy. This statistic is supported with
Figure 2.1
Figure 2.1 Nyxem victim geographic distribution by country
A report from BBC News on February 6, 2006 further supports the information about
the spread. The spread of the Nyxem virus then became much more than an alarming infection
in the cyberspace, leading the city government of Milan to shut down their entire computer
system to avoid more infections and to clean up the infected computers. Piggybacking on this
situation, India, with their Computer Emergency Response chapter reported calls about the
Nyxem virus, saying that most of the calls were about the Nyxem virus but with no data loss.
Australia, Hong Kong and Japan’s security workers also said the same.
Despite the claims of “no data loss”, cautiousness of the virus lead corporations to
disinfect their computers prior to the trigger date (3rd of every month) as they were able to
observe the nonstop generation and spread of the virus via e-mail and HTTP requests of the
webpage associated with the virus. Network Box, a computer that deals with cybersecurity,
were able to make use of the early analysis statistics and were able to generate a
comprehensible statistic about the concentration of the Nyxem virus as shown on Figure 2.2.

Figure 2.2 Top Nyxem Nations Statistics by Network Box, courtesy of BBC News
II. Background of the Case: The Mechanism of Nyxem
Though many security corporations deem the virus to be “not serious”, the virus also
had its victims because of the random e-mail attachments that appear malicious and appealing
to others in which its appeal leads to that webpage and thus spreading the virus again.
The Nyxem email has multiple variants, and to further explore what the virus does,
presented herein is an antivirus report by Sophos Group, a British security software and
hardware company. This report involves the Nyxem-D virus, which is somehow identified as
a worm because of its self-replicating capabilities. This is how the email looks like in Figure
2.3 (in plain text). Uncensored inappropriate words may be observed.

Figure 2.3 Nyxem-D Email Body, Report Snippet from Sophos regarding Nyxem-D
Furthermore, the virus, when interacted with, burrows itself into the system and act as
a system task. The Nyxem-D variant may attempt to put an icon on the Windows taskbar with
a text “Update Please Wait” if it detects an anti-virus protection. This virus will also attempt
to terminate windows, or programs and even burrow itself to the registry entries to remove
security related files and anti-virus programs. Then it sends itself to email addresses it found
from the files (from .dbx, .eml, .htm, .imh, .mbx, .msf, .msg, .nws, .oft, .txt, .vc files) on the
infected computer, and as mentioned earlier, it sends itself to the other emails. The Nyxem-D
virus may send malicious emails with these subject lines (see Figure 2.4). Uncensored
inappropriate words may be observed.
Figure 2.4 Nyxem-D Subject Lines, Report Snippet from Sophos regarding Nyxem-D
However, not only the virus replicates itself as a worm, it burrows itself in the registry.
On the registry, the worm registers itself with the following credentials displayed on Figure
2.5.

Figure 2.5 Nyxem.e Registry Values, Report Snippet from Kaspersky via viruslist.com

It also deletes security files and it corrupts many common document files. Another
Nyxem variant, Nyxem.e, has been reported to corrupt document files (such as .doc, .xls, .ppt,
.zip files) by rewriting them with a text “DATA Error [47 0F 94 93 F4 F5]”, become the files
unrecoverable and corrupted. This data corruption happens on the schedule, 3rd of every month.
It also copies itself on the Windows root with the names and directories found on Figure 2.6.
Figure 2.6 Nyxem.e Filenames, Report Snippet from Kaspersky via viruslist.com
Moore and Shannon further explains the case of file deletion routine that is triggered
on the 3rd of every month. The file deletion were still observable and has affected systems that
were not cautious enough to clean their computers. File deletion reports were not as many, and
is further supported by this statement from the same study: “On the other end of the spectrum,
losing files can be devastating for home and small-business owners, but the scale of the losses
is not considered newsworthy” (Moore and Shannon, 2020).
How the virus was spread is a manifestation of the lack of education, responsibility and
social engineering. More of this will then be discuss in the next section.
III. Evaluation of the Case
To review, the spreading mechanism of the virus is alarming. The virus is spread as an
attachment to an e-mail and will open a webpage (which causes the infection), and interacting
with the e-mail worsens the situation because it will gather information and e-mail address in
the infected computers.
According to an article published by First Practice Management, “A virus cannot be
spread without a human action, such as running an infected program to keep it going.”. This
statement simplifies that mechanism of the first stage of infection: replication and distribution.
Computer viruses are capable of multiplying and spreading once the computer is infected. But
as a virus that is spread via e-mail, what really causes the spread?
Education to online threats, viruses and worms included, is very important. There is a
terminology in the cyber space that pertains to ignorance of such, and it is threat ignorance.
What is threat ignorance? According to Fitzgibbons (2019), it is a concept used by security
professionals to identify the vulnerability of a computer system to be attacked. Threat
ignorance is led by a lack of understanding on basic computer security precautions as a
responsibility of a computer user. Threat ignorance discusses attacks by viruses and malware
which includes: credential theft, phishing, email spoofing, and denial-of-service attacks.
People with high vulnerability of online threats are most likely to become victims of
social engineering. Social engineering is a tried-and-true technique for the malicious, as the
saying goes, “you can fool some of the people all of the time” (Moore and Shannon, 2020).
Social engineering’s definition is further supported by a computer security company Kapersky:
it is a manipulation technique that exploits human error to gain private information, access, or
valuables.
Social engineering and threat ignorance gives us the clear view of how the virus is
spread. To review, e-mails with Nyxem viruses appear with appealing content or content that
sparks curiosity to the receiver of the e-mail, thus making them interact with it, unaware that
they have brought their computers to be infected and have distributed the virus.
IV. Proposed Solution
Many anti-virus companies has provided a workaround on how to remove the virus
manually. The instructions were given by an anti-virus company Kaspersky.
By the time that the user observed that he is infected with the Nyxem virus or its
variants, he should do the following:
1. Reboot the Windows computer in Safe Mode – press and hold F8 while the machine
is rebooting and choose Safe Mode on the menu that appears.
2. After successfully booting to Safe Mode, find Task Manager application.
3. In the Task Manager, terminate processes named with the following:
a. rundll6.exe
b. scanregw.exe
c. update.exe
d. Winzip.exe
e. WINZIP_TMP.EXE
f. New WinZip File.exe
g. WinZip Quick Pick.exe
4. Also, delete the following files form the Windows root and system directories:
a. %Windir%\rundll16.exe
b. %System%\scanregw.exe
c. %System%\Update.exe
d. %System%\Winzip.exe
e. %System%\WINZIP_TMP.EXE
f. %System%\New WinZip File.exe
g. %User Profile%\Start Menu\Programs\Startup\WinZip Quick Pick.exe
5. On the registry, delete this value:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
"ScanRegistry" = "scanregw.exe /scan"
6. Reboot the computer and check if you have the deleted the infected emails from all
mail folders, and then double-check if the items on steps 3, 4 and 5 are really
deleted.
7. Re-install damaged anti-virus software and reconfigure firewall programs that were
likely changed by the virus.
8. Finally, perform a full antivirus scan of your computer.
Even though that these kind of viruses may work quietly and act as worms, the user
may be able to identify that his computer is infected because he may see unusual activities that
affect his productivity and usage of his computer such as random closing of programs, random
errors appearing and unusual applications being installed or found on the desktop, and even
random change of the wallpapers. If these unusual activities happen to be intrusive and affect
your usage of the computer, then make use of the Safe Mode feature and do anything to identify
what caused those symptoms and unusual behavior.
V. Recommendations
Observable signs that the e-mail could be a Nyxem virus is that it contains unsolicited
email content or email attachments. Refrain from opening emails that have suspicious or
malicious subject lines. If the emails looks clean, refrain from clicking the embedded links
even though the email looks clean.
Always install and maintain the anti-virus software. Anti-virus software provide full
security of your computer including browser and email protection. Make use of the anti-virus
software especially on emails. Anti-virus software nowadays have Real Time Protection
(included on Windows 10’s default anti-virus software Windows Defender) and they can help
the users alert of any malicious programs and emails when you try to run them. Always turn
on Real Time Protection as seen on Figure 5.1.

Figure 5.1 Enabling Real Time Protection on Windows Defender

Latest Windows operating systems have a feature called UAC, or User Account
Control. This feature assists the anti-virus and helps mitigate malware or virus attacked. You
can observe User Access Control everytime you try to run an app, it pops a prompt similar to
Figures 5.2 and 5.3.
Figure 5.2 User Account Control Prompt on Windows 7

Figure 5.3 User Account Control Prompt on Windows 10

Always keep your operating system up to date. Operating systems like Windows 10
have many features included and are updated whenever the operating system gets an update.
Always be cautious on your environment and your cyberspace. Do not engage to any
suspicious executables or items.
Always attend to any trainings that is related to cybersecurity so that you may be able
to know the countermeasures when your system is attacked. Not only joining cybersecurity
trainings will give you knowledge about virus, but cybersecurity also educates you on how to
stay protected in the cyber space. Approach any IT Technician or anyone knowledgeable when
you cannot solve a problem or deal with a cyber attack.
Finally, never forget to share what you have learned and you have experienced to raise
awareness about cyber attacks and viruses like Nyxem to avoid spreading them and prevent
them from attacking you.
References

• CAIDA: Center for Applied Internet Data Analysis, Moore, D., & Shannon, C. (2020,
October 30). The Nyxem Email virus: Analysis and inferences. Retrieved May 03,
2021, from https://www.caida.org/research/security/blackworm/
• Computer Viruses. (n.d.). Retrieved May 03, 2021, from
https://www.firstpracticemanagement.co.uk/knowledge-base/general-
administration/computer-viruses/
• Email-Worm.Win32.Nyxem.e. (n.d.). Retrieved May 05, 2021, from
https://web.archive.org/web/20070622162514/http://www.viruslist.com/en/viruses/en
cyclopedia?virusid=109064
• Fitzgibbons, L. (2019, May 17). What is threat ignorance? - definition from
whatis.com. Retrieved May 03, 2021, from
https://whatis.techtarget.com/definition/threat-ignorance
• Technology | 'Limited' damage from Nyxem virus. (2006, February 03). Retrieved
May 03, 2021, from http://news.bbc.co.uk/2/hi/technology/4677022.stm
• W32/nyxem-d. (2014, July 16). Retrieved May 05, 2021, from
https://www.sophos.com/en-us/threat-center/threat-analyses/viruses-and-
spyware/W32~Nyxem-D/detailed-analysis.aspx