Outbreak Name: Nyxem-D*

Outbreak Date: 1-16-06

Dangerous Virus Destroys Important Documents Outbreak Filters Protects Users 16 hours and 18 minutes Before Traditional AV Solutions

Background

IronPort's Virus Outbreak Filters protects customers within the critical period between the first exploit of a virus outbreak and the release of an AV signature. During the recent Nyxem variant outbreak, Outbreak Filters protected customers an average of 16 hours and 18 minutes before traditional AV vendors** provided protection. And Outbreak Filters users were protected 1 hour and 27 minutes before the first traditional AV vendor responded to the outbreak.**

This additional protection from Outbreak Filters resulted in a savings to IronPort customers of approximately $675,000.***

Potential Damage from Outbreak

Nyxem-D is a worm that spreads by enticing users to open seemingly pornographic attachments. Alarmingly, many of the attachment types used by Nyxem are obscure MIME-encoded files which are not typically blocked by attachment filters. Once opened, the virus disables security software and replicates further through network shares and email harvesting. Nyxem-D is unique because of the extremely dangerous payload it carries: on the third day of every month the virus initiates a process that destroys certain file types and replaces the contents with the string "DATA Error [47 0F 94 93 F4 K5]". The targeted file types include: doc, xls, ppt, pdf, zip, pps, and dmp. The first execution of this code is set for February 3, 2006.

Timeline

* As named by Sophos.
** Calculated as publicly published signatures from the following vendors: Sophos, Trend Micro, Computer Associates, Kaspersky Labs, Symantec and McAfee. If signature time is not available, first publicly published alert time is used.
*** Assumes 10% of viral emails quarantined by Outbreak Filters would have been opened and $200 per desktop clean-up cost.