as far as i know, u can't remove it. just avoid emails that don't look safe. attatchment names like " here is the file", and subject lines like "your file is attatched".

2

Nico Mak Computing

Nico Mak

stop nonsense and visit www.symantec.com for the removal tool. everything else may contain another virus which fuc ks ur hardisk after removeing Blackworm (lol.)

Download this free removal tool and it will remove the virus for you



http://www.bitdefender.com/VIRUS-1000060-en--Win32.Nyxem.E@mm.html



hope this helps

This worm will infect a system when it is executed by a user. It is likely to be received in an email attachment or via network shares. When run, the file copies itself locally using many enticing filenames



This is a mass-mailing with the following characteristics::



On execution, the worm opens the Windows Media Player. The player does not play any file

Drops various files as listed below

Changes registration name of WinZip if it is locally installed on the machine

Blocks various AV software from starting by deleting their registry keys

Changes the local telnet service to automatically start

Copies itself to systems that have open shares

From examination of the mass-mailing worm, it can be seen that this is intended to be a mass-mailing virus, however under testing AVERT has been unable to reproduce this behaviour, possibly due to a flaw in the program.



The following files are dropped:



%WinDir% \Task.exe

%WinDir% \system32\About_BlackWorm.C.txt

%WinDir% \system32\Connection.exe

%WinDir% \system32\Life.jpg

%WinDir% \system32\movie_05.MP3____________.exe

%WinDir% \system32\movie009.pif

%WinDir% \system32\NOTEPADm.exe

%WinDir% \system32\Old_Password.baT

%WinDir% \system32\OSSMTP.DLL

%WinDir% \system32\PaltlkRoom.wav___________.scr

%WinDir% \system32\sound_223.mp3___________.scr

%WinDir% \system32\The_Members.PIF

%WinDir% \system32\Video_live.mpg____________.exe

%WinDir% \system32\yahoo.PIF

%WinDir% \VOLUME\NOTEPAD.EXE

C:\Program Files\Internet Explorer\Media Player.exe

%SysDir% \About_BlackWorm.C.txt" (harmless ASCII file)

The following registry keys are created:



HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run

"NOTEPAD.EXE" = C:\WINNT\VOLUME\NOTEPAD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\

CurrentVersion\Run

"(Default)" = C:\WINNT\VOLUME\NOTEPAD.EXE

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup "Security" = C:\WINNT\SYSTEM32\NOTEPADm.exe

HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr "Start" REG_DWORD = 02, 00, 00, 00

Attempts to disable various AV software from starting by deleting the following registry entries (if present):



HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\NPROTECT

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\NPROTECT

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\ccApp

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\ccApp

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\ScriptBlocking

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\ScriptBlocking

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\MCUpdateExe

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\MCUpdateExe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\VirusScan Online\

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\VirusScan Online

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\MCAgentExe

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\MCAgentExe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\VSOCheckTask

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\VSOCheckTask

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\McRegWiz

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\McRegWiz

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\McVsRte

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\McVsRte

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\PCClient.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\PCClient.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\PCCIOMON.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\PCCIOMON.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\pccguide.exe

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\pccguide.exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\

CurrentVersion\Run\PccPfw

HKEY_CURRENT_USER\Software\Microsoft\Windows\

CurrentVersion\Run\PccPfw

If WinZIP is installed on the local machine, the worm changes the name of the registred user and the serial number to the following:



HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "Name" = BlackWorm

HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "SN" = 2AD00ED6



Removal Instructions

All Users :

Use current engine and DAT files for detection and removal.



Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher)



Disabling System Restore



Windows ME and XP utilize a restore utility that backs up selected files automatically to the C:\_Restore folder. This means that an infected file could be stored there as a backup file, and VirusScan will be unable to delete these files. You must disable the System Restore Utility to remove the infected files from the C:\_Restore folder.



Download the Quick heel its free