Nyxem.e’s dreaded 32 bytes

Somewhere, deep inside Nyxem.e’s 100K+ body, there is a dreaded block of 32 bytes. On the 3rd of every month, exactly 30 minutes after the infected system is started, Nyxem.e will use this block to overwrite all *.doc, *.xls, *.mdb, *.mde, *.ppt, *.pps, *.zip, *.rar, *.pdf, *.psd and *.dmp files on your disks.

Once this has happened, your 6MB presentation for the CEO, your vacation pictures and all the RAR and ZIP backups will look like this:

Or, in ASCII:

With the activation date drawing near, just make sure your system is not infected. Unlike GPCode, once the payload has hit, the chances of you getting your data back will be practically zero.

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *