W32/MyWife.d@MM!M24 | Virus Profile & Definition

Virus Profile information details
Risk Assessment:	Home Low \| Corporate Low
Date Discovered:	1/17/2006
Date Added:	1/17/2006
Origin:	Unknown
Length:	Varies
Type:	Virus
Subtype:	E-mail
DAT Required:	4642
Removal Instructions

Description

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Indication of Infection

Security Settings Modification:

The following registry keys are modified to lower security settings:

HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\NotifyDownloadComplete="7562617"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet="1"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Internet Settings\ZoneMap\ProxyBypass="1"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Internet Settings\ZoneMap\IntranetName="1"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\Currentversion\Explorer\Advanced\WebView="0"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\Currentversion\Explorer\Advanced\ShowSuperHidden="0"
HKEY_CURRENT_USER\Software\Microsoft\Windows
\CurrentVersion\Explorer\CabinetState\FullPath="0"

Registry entries under the following key are modified to disable security software:

SOFTWARE\Classes\Licenses

.EXE or .PPL Files found within the folders listed for the following registry entries are deleted:

HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk
\VirusProtect6\CurrentVersion
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps
HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components
\101
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum
HKEY_LOCAL_MACHINE\Software\KasperskyLab
\InstalledProducts\Kaspersky Anti-Virus Personal
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\App Paths\Iface.exe

The worm attempts to delete the following files:

%ProgramFiles% \DAP\*.dll
%ProgramFiles% \BearShare\*.dll
%ProgramFiles% \Symantec\LiveUpdate\*.*
%ProgramFiles% \Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles% \Norton AntiVirus\*.exe
%ProgramFiles% \Alwil Software\Avast4\*.exe
%ProgramFiles% \McAfee.com\VSO\*.exe
%ProgramFiles% \McAfee.com\Agent\*.*
%ProgramFiles% \McAfee.com\shared\*.*
%ProgramFiles% \Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles% \Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles% \Trend Micro\Internet Security\*.exe
%ProgramFiles% \NavNT\*.exe
%ProgramFiles% \Morpheus\*.dll
%ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles% \Grisoft\AVG7\*.dll
%ProgramFiles% \TREND MICRO\OfficeScan\*.dll
%ProgramFiles% \Trend Micro\OfficeScan Client\*.exe
%ProgramFiles% \LimeWire\LimeWire 4.2.6\LimeWire.jar

It also tries to delete files from the following locations on network shares:

\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

It monitors the internet browser for the following strings:

YAHOO! MAIL -
@YAHOOGROUPS
BLOCKSENDER
SCRIBE
YAHOOGROUPS
TREND
PANDA
SECUR
SPAM
ANTI
CILLIN
CA.COM
AVG
GROUPS.MSN
NOMAIL.YAHOO.COM
EEYE
MICROSOFT
HOTMAIL
MSN
MYWAY
GMAIL.COM
@HOTMAIL
@HOTPOP

The worm will close applications whose title contains one of the following strings:

SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX

The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted:

PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare

Date Activated Payload

On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text "DATA Error [47 0F 94 93 F4 K5]":

DOC
XLS
MDB
MDE
PPT
PPS
ZIP
RAR
PDF
PSD
DMP

Testing confirms that this payload does not affect mapped network drives.

Infection Counter

Whenever a machine is initially infected, the worm connects to a website to increment a counter:

webstats.web.rcn.net/cgi-bin/Count.cgi [censored]

Tray Icon

The worm adds an icon in the systray, displaying the string "Update Please wait" if one of these folders have be found in %Program Files% :

Norton Antivirus
Kaspersky Lab
Panda Software

Methods of Infection

This worm tries to spread via email and by copying itself to local shares.

The mailing component harvests address from the local system. Files with the following strings are targeted:

.HTM
.DBX
.EML
.MSG
.OFT
.NWS
.VCF
.MBX
.IMH
.TXT
.MSF
CONTENT.
TEMPORARY

Aliases

CME-24, Kama Sutra, Nyxem.E (F-Secure), W32.Blackmal.E@mm (NAV), W32/Grew.A!wm (Fortinet), W32/Kapser.A@mm (F-Prot), W32/MyWife.d@MM, W32/MyWife.d@MM!M24, W32/Nyxem-D (Sophos), W32/Tearec.A.worm (Panda), Win32/Blackmal.F (Vet), WORM_GREW.A (Trend)

Back to Top

View Virus Characteristics

Virus Characteristics

-- Update Feb 2, 2006 --
CME number assigned ( CME-24 )

This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM

This is a mass-mailing worm that bears the following characteristics:

contains its own SMTP engine to construct outgoing messages
spreads through open network shares
tries to lower security settings and disable security software
overwrites files on the 3rd of each month

E-mail Component:

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected. Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

Photos
My photos
School girl fantasies gone bad
Part 1 of 6 Video clipe
*Hot Movie*
Re:
Fw: Picturs
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Fw:
Fwd: Crazy illegal Sex!
Fw: Real show
Fw: SeX.mpg
Fw: DSC-00465.jpg
Re: Sex Video
Word file
the file
eBook.pdf
Miss Lebanon 2006
A Great Video
give me a kiss

Body: (Varies, such as)

Note: forwarded message attached.
You Must View This Videoclip!
>> forwarded message
i just any one see my photos.
forwarded message attached.
Please see the file.
----- forwarded message -----
The Best Videoclip Ever
Hot XXX Yahoo Groups
F***in Kama Sutra pics
ready to be F***ED ;)
VIDEOS! FREE! (US$ 0,00)
It's Free :)
hello,
i send the file.
bye
hi
i send the details
i attached the details.
how are you?
What?
Thank you
i send the details.
OK ?

(N.B. *** replaces content for filtering purposes)

Attachment:

The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.

The executable filename is chosen from the following list:

04.pif
007.pif
School.pif
photo.pif
DSC-00465.Pif
Arab sex DSC-00465.jpg
image04.pif
677.pif
DSC-00465.pIf
New_Document_file.pif
eBook.PIF
document.pif

The MIME encoded files' name is chosen from the following list:

SeX.mim
Sex.mim
WinZip.BHX
3.92315089702606E02.UUE
Attachments[001].B64
eBook.Uu
Word_Document.hqx
Word_Document.uu
Attachments00.HQX
Attachments001.BHX
Video_part.mim

It may also be chosen from the following list of prefaces:

392315089702606E-02
Clipe
Miss
Sweet_09

with the following file extensions:

.mim
.HQX
.BHx
.b64
.uu
.UUE

The filename within the MIME encoded file is chosen from the following list:

Attachments[001],B64 .sCr
392315089702606E-02,UUE .scR
SeX,zip .scR
WinZip.zip .sCR
ATT01.zip .sCR
Word.zip .sCR
Word XP.zip .sCR
New Video,zip .sCr
Atta[001],zip .SCR
Attachments,zip .SCR
Clipe,zip .sCr
WinZip,zip .scR
Adults_9,zip .sCR
Photos,zip .sCR

Installation:

When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.

%SysDir% \Winzip.exe
%SysDir% \Update.exe
%SysDir% \scanregw.exe
%WinDir% \Rundll16.exe
%WinDir% \winzip_tmp.exe
c:\winzip_tmp.exe
%Temp% \word.zip .exe

(Where %Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM - %WinDir% is the Windows Directory, and %Temp% is the Temp Directory)

It creates the following registry entry to hook Windows startup:

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
\CurrentVersion\Run\ScanRegistry="scanregw.exe /scan"

The worm will go through the following directories

\Documents and Settings\
\Documents and Settings\%USERS%\My Documents\
\Program Files\
\RECYCLER\
\System Volume Information\

in order to place three files in each directory with the following names:

desktop.ini
Temp.Htt
WinZip_Tmp.exe (copy of the worm)

It will also change the system settings to "Hide Protected operating system files".

Having DESKTOP.INI and TEMP.HTT in any folder will turn it into an HTML browseable folder. DESKTOP.INI will point to TEMP.HTT as its template file that would run every time the folder is viewed. Inside TEMP.HTT, there will be another call to "WinZip_Temp.exe" to activate it in case there is not any instances of the worm currently running.

Network Share Component:

The worm will attempt to copy itself to the following shares, using the current user's authentication:

C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
Admin$\winzip_tmp.exe
C$\winzip_tmp.exe

The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour. Once the 59th minute is reached, the remote computer would itself be infected as it runs the dropped payload.

Variants

Variants information
Virus Name	Type	Subtype	Differences
W32/MyWife.e@MM	Virus	E-mail	This detection was added briefly, but it has since been determined that it was in fact a corrupted W32/MyWife.d@MM. Such files will now be detected as W32/MyWife.d@MM!M24.

Back to Top

Back To Overview View Removal Instructions

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

Insert the Windows XP CD into the CD-ROM drive and restart the computer.
When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
Select the Windows installation that is compromised and provide the administrator password.
Issue 'fixmbr' command to restore the Master Boot Record
Follow onscreen instructions.
Reset and remove the CD from CD-ROM drive.

On Windows Vista and 7:

Insert the Windows CD into the CD-ROM drive and restart the computer.
Click on "Repair Your Computer".
When the System Recovery Options dialog comes up, choose the Command Prompt.
Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
Follow onscreen instructions.
Reset and remove the CD from CD-ROM drive.

Back to Top

View Virus Characteristics

Virus Profile: W32/MyWife.d@MM!M24

Description

Indication of Infection

Methods of Infection

Aliases

Virus Characteristics

Variants

Virus Information

Indications of Infection:

PRODUCTS

VIRUS SECURITY

SUPPORT

SOCIALIZE WITH US ON

SIGN UP FOR SECURITY NEWS

WE ACCEPT THE FOLLOWING