-- Update Feb 2, 2006 --
CME number assigned ( CME-24
This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM
This is a mass-mailing worm that bears the following characteristics:
- contains its own SMTP engine to construct outgoing messages
- spreads through open network shares
- tries to lower security settings and disable security software
- overwrites files on the 3rd of each month
The virus arrives in an email message as follows:
(Spoofed email sender)
Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.
(Varies, such as)
- My photos
- School girl fantasies gone bad
- Part 1 of 6 Video clipe
- *Hot Movie*
- Fw: Picturs
- Fw: Funny :)
- Fwd: Photo
- Fwd: image.jpg
- Fw: Sexy
- Fwd: Crazy illegal Sex!
- Fw: Real show
- Fw: SeX.mpg
- Fw: DSC-00465.jpg
- Re: Sex Video
- Word file
- the file
- Miss Lebanon 2006
- A Great Video
- give me a kiss
(Varies, such as)
- Note: forwarded message attached.
- You Must View This Videoclip!
- >> forwarded message
- i just any one see my photos.
- forwarded message attached.
- Please see the file.
- ----- forwarded message -----
- The Best Videoclip Ever
- Hot XXX Yahoo Groups
- F***in Kama Sutra pics
- ready to be F***ED ;)
- VIDEOS! FREE! (US$ 0,00)
- It's Free :)
- i send the file.
- i send the details
- i attached the details.
- how are you?
- Thank you
- i send the details.
- OK ?
(N.B. *** replaces content for filtering purposes)
The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.
The executable filename is chosen from the following list:
- Arab sex DSC-00465.jpg
The MIME encoded files' name is chosen from the following list:
It may also be chosen from the following list of prefaces:
with the following file extensions:
The filename within the MIME encoded file is chosen from the following list:
- Attachments,B64 .sCr
- 392315089702606E-02,UUE .scR
- SeX,zip .scR
- WinZip.zip .sCR
- ATT01.zip .sCR
- Word.zip .sCR
- Word XP.zip .sCR
- New Video,zip .sCr
- Atta,zip .SCR
- Attachments,zip .SCR
- Clipe,zip .sCr
- WinZip,zip .scR
- Adults_9,zip .sCR
- Photos,zip .sCR
When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.
%Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM -
%WinDir% is the Windows Directory, and
%Temp% is the Temp Directory)
It creates the following registry entry to hook Windows startup:
The worm will go through the following directories
- \Documents and Settings\
- \Documents and Settings\%USERS%\My Documents\
- \Program Files\
- \System Volume Information\
in order to place three files in each directory with the following names:
- WinZip_Tmp.exe (copy of the worm)
It will also change the system settings to "Hide Protected operating system files".
Having DESKTOP.INI and TEMP.HTT in any folder will turn it into an HTML browseable folder. DESKTOP.INI will point to TEMP.HTT as its template file that would run every time the folder is viewed. Inside TEMP.HTT, there will be another call to "WinZip_Temp.exe" to activate it in case there is not any instances of the worm currently running.
Network Share Component:
The worm will attempt to copy itself to the following shares, using the current user's authentication:
- C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour. Once the 59th minute is reached, the remote computer would itself be infected as it runs the dropped payload.
||This detection was added briefly, but it has since been determined that it was in fact a corrupted W32/MyWife.d@MM. Such files will now be detected as W32/MyWife.d@MM!M24.