Virus Profile: W32/MyWife.d@MM!M24

Threat Search
Print
   
Virus Profile information details
Risk Assessment: Home Low | Corporate Low
Date Discovered: 1/17/2006
Date Added: 1/17/2006
Origin: Unknown
Length: Varies
Type: Virus
Subtype: E-mail
DAT Required: 4642
Removal Instructions
   
 
 
   

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Security Settings Modification:

The following registry keys are modified to lower security settings:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\NotifyDownloadComplete="7562617"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\ProxyBypass="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\IntranetName="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\WebView="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\ShowSuperHidden="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\CabinetState\FullPath="0"

Registry entries under the following key are modified to disable security software:

  • SOFTWARE\Classes\Licenses

.EXE or .PPL Files found within the folders listed for the following registry entries are deleted:

  • HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk
    \VirusProtect6\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components
    \101
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab
    \InstalledProducts\Kaspersky Anti-Virus Personal
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\App Paths\Iface.exe

The worm attempts to delete the following files:

  • %ProgramFiles% \DAP\*.dll
  • %ProgramFiles% \BearShare\*.dll
  • %ProgramFiles% \Symantec\LiveUpdate\*.*
  • %ProgramFiles% \Symantec\Common Files\Symantec Shared\*.*
  • %ProgramFiles% \Norton AntiVirus\*.exe
  • %ProgramFiles% \Alwil Software\Avast4\*.exe
  • %ProgramFiles% \McAfee.com\VSO\*.exe
  • %ProgramFiles% \McAfee.com\Agent\*.*
  • %ProgramFiles% \McAfee.com\shared\*.*
  • %ProgramFiles% \Trend Micro\PC-cillin 2002\*.exe
  • %ProgramFiles% \Trend Micro\PC-cillin 2003\*.exe
  • %ProgramFiles% \Trend Micro\Internet Security\*.exe
  • %ProgramFiles% \NavNT\*.exe
  • %ProgramFiles% \Morpheus\*.dll
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
  • %ProgramFiles% \Grisoft\AVG7\*.dll
  • %ProgramFiles% \TREND MICRO\OfficeScan\*.dll
  • %ProgramFiles% \Trend Micro\OfficeScan Client\*.exe
  • %ProgramFiles% \LimeWire\LimeWire 4.2.6\LimeWire.jar

It also tries to delete files from the following locations on network shares:

  • \C$\Program Files\Norton AntiVirus
  • \C$\Program Files\Common Files\symantec shared
  • \C$\Program Files\Symantec\LiveUpdate
  • \C$\Program Files\McAfee.com\VSO
  • \C$\Program Files\McAfee.com\Agent
  • \C$\Program Files\McAfee.com\shared
  • \C$\Program Files\Trend Micro\PC-cillin 2002
  • \C$\Program Files\Trend Micro\PC-cillin 2003
  • \C$\Program Files\Trend Micro\Internet Security
  • \C$\Program Files\NavNT
  • \C$\Program Files\Panda Software\Panda Antivirus Platinum
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
  • \C$\Program Files\Panda Software\Panda Antivirus 6.0
  • \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

It monitors the internet browser for the following strings:

  • YAHOO! MAIL -
  • @YAHOOGROUPS
  • BLOCKSENDER
  • SCRIBE
  • YAHOOGROUPS
  • TREND
  • PANDA
  • SECUR
  • SPAM
  • ANTI
  • CILLIN
  • CA.COM
  • AVG
  • GROUPS.MSN
  • NOMAIL.YAHOO.COM
  • EEYE
  • MICROSOFT
  • HOTMAIL
  • MSN
  • MYWAY
  • GMAIL.COM
  • @HOTMAIL
  • @HOTPOP

The worm will close applications whose title contains one of the following strings:

  • SYMANTEC
  • SCAN
  • KASPERSKY
  • VIRUS
  • MCAFEE
  • TREND MICRO
  • NORTON
  • REMOVAL
  • FIX

The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted:

  • PCCIOMON.exe
  • pccguide.exe
  • Pop3trap.exe
  • PccPfw
  • tmproxy
  • McAfeeVirusScanService
  • NAV Agent
  • PCCClient.exe
  • SSDPSRV
  • rtvscn95
  • defwatch
  • vptray
  • ScanInicio
  • APVXDWIN
  • KAVPersonal50
  • kaspersky
  • TM Outbreak Agent
  • AVG7_Run
  • AVG_CC
  • Avgserv9.exe
  • AVGW
  • AVG7_CC
  • AVG7_EMC
  • Vet Alert
  • VetTray
  • OfficeScanNT Monitor
  • avast!
  • DownloadAccelerator
  • BearShare

Date Activated Payload

On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text "DATA Error [47 0F 94 93 F4 K5]":

  • DOC
  • XLS
  • MDB
  • MDE
  • PPT
  • PPS
  • ZIP
  • RAR
  • PDF
  • PSD
  • DMP

Testing confirms that this payload does not affect mapped network drives.

Infection Counter

Whenever a machine is initially infected, the worm connects to a website to increment a counter:

  • webstats.web.rcn.net/cgi-bin/Count.cgi [censored]

Tray Icon

The worm adds an icon in the systray, displaying the string "Update Please wait" if one of these folders have be found in %Program Files% :

  • Norton Antivirus
  • Kaspersky Lab
  • Panda Software

Methods of Infection

This worm tries to spread via email and by copying itself to local shares.

The mailing component harvests address from the local system.  Files with the following strings are targeted:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF
  • CONTENT.
  • TEMPORARY

Aliases

CME-24, Kama Sutra, Nyxem.E (F-Secure), W32.Blackmal.E@mm (NAV), W32/Grew.A!wm (Fortinet), W32/Kapser.A@mm (F-Prot), W32/MyWife.d@MM, W32/MyWife.d@MM!M24, W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), Win32/Blackmal.F (Vet), WORM_GREW.A (Trend)
   

Virus Characteristics

-- Update Feb 2, 2006 --
CME number assigned ( CME-24 )

This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spreads through open network shares
  • tries to lower security settings and disable security software
  • overwrites files on the 3rd of each month

E-mail Component:

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Photos
  • My photos
  • School girl fantasies gone bad
  • Part 1 of 6 Video clipe
  • *Hot Movie*
  • Re:
  • Fw: Picturs
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Fw:
  • Fwd: Crazy illegal Sex!
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: DSC-00465.jpg
  • Re: Sex Video
  • Word file
  • the file
  • eBook.pdf
  • Miss Lebanon 2006
  • A Great Video
  • give me a kiss

Body:  (Varies, such as)  

  • Note: forwarded message attached.
  • You Must View This Videoclip!
  • >> forwarded message
  • i just any one see my photos.
  • forwarded message attached.
  • Please see the file.
  • ----- forwarded message -----
  • The Best Videoclip Ever
  • Hot XXX Yahoo Groups
  • F***in Kama Sutra pics
  • ready to be F***ED ;)
  • VIDEOS! FREE! (US$ 0,00)
  • It's Free :)
  • hello,
  • i send the file.
  • bye
  • hi
  • i send the details
  • i attached the details.
  • how are you?
  • What?
  • Thank you
  • i send the details.
  • OK ?

(N.B. *** replaces content for filtering purposes)

Attachment:

The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.

The executable filename is chosen from the following list:

  • 04.pif
  • 007.pif
  • School.pif
  • photo.pif
  • DSC-00465.Pif
  • Arab sex DSC-00465.jpg
  • image04.pif
  • 677.pif
  • DSC-00465.pIf
  • New_Document_file.pif
  • eBook.PIF
  • document.pif

The MIME encoded files' name is chosen from the following list:

  • SeX.mim
  • Sex.mim
  • WinZip.BHX
  • 3.92315089702606E02.UUE
  • Attachments[001].B64
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu
  • Attachments00.HQX
  • Attachments001.BHX
  • Video_part.mim

It may also be chosen from the following list of prefaces:

  • 392315089702606E-02
  • Clipe
  • Miss
  • Sweet_09

with the following file extensions:

  • .mim
  • .HQX
  • .BHx
  • .b64
  • .uu
  • .UUE
The filename within the MIME encoded file is chosen from the following list:
  • Attachments[001],B64 .sCr
  • 392315089702606E-02,UUE .scR
  • SeX,zip .scR
  • WinZip.zip .sCR
  • ATT01.zip .sCR
  • Word.zip .sCR
  • Word XP.zip .sCR
  • New Video,zip .sCr
  • Atta[001],zip .SCR
  • Attachments,zip .SCR
  • Clipe,zip .sCr
  • WinZip,zip .scR
  • Adults_9,zip .sCR
  • Photos,zip .sCR

Installation:

When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.

  • %SysDir% \Winzip.exe
  • %SysDir% \Update.exe
  • %SysDir% \scanregw.exe
  • %WinDir% \Rundll16.exe
  • %WinDir% \winzip_tmp.exe
  • c:\winzip_tmp.exe
  • %Temp% \word.zip                                        .exe

(Where %Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM -  %WinDir% is the Windows Directory, and %Temp% is the Temp Directory)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run\ScanRegistry="scanregw.exe /scan"

The worm will go through the following directories

  • \Documents and Settings\
  • \Documents and Settings\%USERS%\My Documents\
  • \Program Files\
  • \RECYCLER\
  • \System Volume Information\
in order to place three files in each directory with the following names:
  • desktop.ini
  • Temp.Htt
  • WinZip_Tmp.exe (copy of the worm)

It will also change the system settings to "Hide Protected operating system files".

Having DESKTOP.INI and TEMP.HTT in any folder will turn it into an HTML browseable folder. DESKTOP.INI will point to TEMP.HTT as its template file that would run every time the folder is viewed. Inside TEMP.HTT, there will be another call to "WinZip_Temp.exe" to activate it in case there is not any instances of the worm currently running.

Network Share Component:

The worm will attempt to copy itself to the following shares, using the current user's authentication:

  • C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
  • Admin$\winzip_tmp.exe
  • C$\winzip_tmp.exe

The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour.  Once the 59th minute is reached, the remote computer would itself be infected  as it runs the dropped payload.

Variants

Variants information
Virus Name Type Subtype Differences
W32/MyWife.e@MM Virus E-mail This detection was added briefly, but it has since been determined that it was in fact a corrupted W32/MyWife.d@MM. Such files will now be detected as W32/MyWife.d@MM!M24.
   

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.
   

PC Infected? Get Expert Help

McAfee
Virus Removal Service

Connect to one of our Security Experts by phone. Have your PC fixed remotely - while you watch!

$89.95