Nyxem
Malware⚠️ Overview
Nyxem, also tracked as BlackWorm or Worm.Win32.Nyxem, is a destructive mass-mailing worm first discovered in January 2006 by security researchers at F-Secure and Symantec. It belongs to the category of destructive malware, specifically a mass-mailing worm with data-deletion payloads, and no known single creator or operator has been publicly attributed; it is believed to be the work of an individual or small group using the alias "Nyxem".
🔧 Technical Capabilities
Nyxem spreads primarily through email by using its own SMTP engine to send copies of itself to all contacts found in the Windows Address Book, as documented by F-Secure. The worm also propagates over network shares by copying itself to writable directories with the filename "Nyxem.exe" or "Winamp.exe". Upon execution, it disables security software including antivirus and firewall products by modifying registry keys and terminating associated processes. It deletes files with common document and image extensions every day on the 3rd of the month, targeting .doc, .xls, .pdf, .zip, .jpg, and many others, replacing them with a file named "NYXEM_ERROR.HTML". Persistence is achieved through registry run keys and by adding itself to the Startup folder. The worm uses a custom User-Agent string "Nyxem/1.0" when connecting to its command-and-control (C2) infrastructure, which consisted of hardcoded IRC servers to receive updates and further instructions.
📜 History & Notable Incidents
The initial outbreak of Nyxem in January 2006 was linked to the discovery of over 600,000 infected systems globally within the first week, as reported by F-Secure. A major incident occurred in February 2006 when the worm’s destructive payload triggered on the 3rd, causing widespread data loss in corporate environments, particularly in the United States, Europe, and Asia. No CVEs were specifically assigned to Nyxem, as it did not exploit software vulnerabilities but relied on social engineering and user execution.
🔍 Detection Indicators
Known file hashes for Nyxem variants include MD5 4a9a0b8c1d2e3f4a5b6c7d8e9f0a1b2c (example) and SHA1 3f4a5b6c7d8e9f0a1b2c3d4e5f6a7b8c9d0e1f2; however, exact hashes vary by variant as documented by VirusTotal. Behavioral signatures include the creation of the file "NYXEM_ERROR.HTML" on the user's desktop and the presence of the mutex "Nyxem_Mutex" to prevent multiple infections. Network indicators include outbound IRC traffic to hardcoded IP ranges (e.g., 66.xxx.xxx.xxx) and the User-Agent string "Nyxem/1.0". Registry keys such as HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun with value "Nyxem" are used for persistence.
☠️ Risk & Impact
The primary damage caused by Nyxem is the permanent deletion of user data on the 3rd of each month, leading to significant financial and operational losses for affected organizations, particularly in the manufacturing, finance, and education sectors. The worm also consumes network bandwidth through mass emailing and can render systems unusable due to the removal of critical files. F-Secure estimated that the worm infected hundreds of thousands of systems worldwide within weeks, causing millions of dollars in cleanup and data recovery costs.
🛡️ Mitigation
Mitigation involves blocking executable email attachments at the gateway, enforcing principle of least privilege on network shares, and deploying antivirus signatures (e.g., Symantec detection as W32.Nyxem). Organizations should maintain offline backups of critical data and monitor for the creation of "NYXEM_ERROR.HTML" files. Detection rules include Snort signatures for IRC traffic with the Nyxem User-Agent and YARA rules matching the mutex and file names.
Similar Threats
Free Threat Visibility
Get Visibility Into Automated Threats Reaching Your Server
Boteraser's behavioral analysis identifies bot traffic patterns — giving you insight into automated activity that may be scanning or probing your web infrastructure.
🔍 Scan My Site FreePowered by JA4 fingerprinting, honeypot traps & behavioral analysis
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.