We upgraded Nyxem.E to Radar level 2 due to the increased number of reports.
The worm's destructive payload activates on every third day of the month by replacing the content of user's files with a text string "DATA Error [47 0F 94 93 F4 K5]". Among these files are: DOC, XLS, MDB, MDE, PPT, PPS, ZIP, RAR, PDF, PSD and DMP.
The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it's already over 417,000 and growing. The counter didn't necessarily start from zero.
The worm also has an interesting feature: it increases a counter on a website every time a new machine gets infected. When we first saw the counter (earlier today) it was below 300,000 . Now it's already over 417,000 and growing. The counter didn't necessarily start from zero.