Nyxem is a worm that spread in February 2003 written in Visual Basic with a very destructive payload. Most people are focused on the E variant.

When the worm is first run, it drops a .zip file in the system directory and launches it in order to display an error message to distract the user. It also copies itself to the system directory under the following names:

  • New WinZip File.exe
  • scanregw.exe
  • Update.exe
  • Winzip.exe
  • WINZIP_TMP.exe

In the Startup folder it copies itself as WinZip Quick Pick.exe.

In the Windows folder it installs itself as rundll16.exe.

It uses the HKEY_LOCAL_MACHINE registry key to make sure it is run on startup.

To spread through Email, the worm searches for files with the following extensions:

  • dbx
  • eml
  • htm
  • imh
  • mbx
  • msf
  • msg
  • nws
  • oft
  • txt
  • vc

It mass-mails itself by connecting to the host's SMTP server.

It also spreads through open network resources by copying itself as Winzip_TMP.exe

The worm also makes an attempt to kill antivirus software.

It uses the internet to download updates for itself, therefore it has a backdoor component.

While doing the above, the worm disables mouse and keyboard input.

A half hour after an infected computer is booted on the third of any month, the worm overwrites all files with the following extensions:

  • doc
  • xls
  • mdb
  • mde
  • ppt
  • pps
  • zip
  • rar
  • pdf
  • psd
  • dmp

with the text:

DATA Error [47 0F 94 93 F4 F5]