Content

W32/MyWife.a@MM

Type
Virus
SubType
E-mail
Discovery Date
03/23/2004
Length
76,060 bytes
Minimum DAT
4342 (03/24/2004)
Updated DAT
4684 (01/27/2006)
Minimum Engine
5.1.00
Description Added
03/24/2004
Description Modified
04/02/2004 7:41 AM (PT)
Risk Assessment
Corporate User
Low-Profiled
Home User
Low-Profiled

Tab Navigation

Characteristics

-- Update April 2nd 2004 08:37 PST --
Some new variants of W32/MyWife.a have been received. These samples are detected with the 4.3.20 engine, but detection is not available with the 4.2.40 or 4.2.60 engines. Although most samples will be detected with the earlier engines, the minimum engine requirement has been updated to reflect 4.3.20.
-- Update March 25th 2004 15:16 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.eweek.com/article2/0,1759,1554603,00.asp
--

This threat bears similarities with W32/MyLife@MM and may be written by the same author. It seems that the author has attempted to implement an external SMTP engine, which is not fully utilized by the virus in many environments.  The virus contains bugs that prevent it from working as design on some systems.

The virus spreads as an email attachment.  Message content may be pornographic in nature.  The following list is provided for content filtering purposes.

The virus body also contains the following message:

Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too. This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).


Notes:
  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.


   Sincerely
Norton AntiVirus

Symptoms

When run, the virus displays a fake error message:

The virus installs itself in the WINDOWS SYSTEM directory, using a similar filename of an existing file (ie winrep.exe becomes winrep .exe) and a registry run key is created to load the file at startup:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default)" C:\WINNT\SYSTEM32\winrep .exe

A similar action is done with a directory named TEMPORARY in the WINDOWS directory:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ISUNINST.EXE" = C:\WINNT\TEMPORARY\ISUNINST.EXE

Other keys may also be created:

  • HKEY_CURRENT_CONFIG\Display\Fonts "(Default)" = C:\WINNT\TEMPORARY\IsUninst.exe
  • HKEY_CURRENT_CONFIG\Software\Microsoft "(Default)" = C:\WINNT\SYSTEM32\winrep .exe

The OSSMTP engine is installed in the WINDOWS SYSTEM directory:

  • c:\WINNT\system32\Ossmtp.dll (31,797 bytes)
  • c:\WINNT\system32\Oswinsck.dll (11,893 bytes)

The virus creates many copies of itself:

Method of Infection

This worm spreads through email.  It attempts to harvest addresses used by Yahoo and MSN Messenger as well as files containing the following extensions (.htm and .dbx).

It also attempts to deactivate/terminate/delete certain software.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • I-Worm.Nyxem (AVP)
  • W32.Blackmal@mm (Symantec)
  • W32.BlackWorm.A@mm
  • W32/Mywife.A.worm (Panda)
  • WORM_BLUEWORM.A (Trend)

Characteristics

Characteristics -

-- Update April 2nd 2004 08:37 PST --
Some new variants of W32/MyWife.a have been received. These samples are detected with the 4.3.20 engine, but detection is not available with the 4.2.40 or 4.2.60 engines. Although most samples will be detected with the earlier engines, the minimum engine requirement has been updated to reflect 4.3.20.
-- Update March 25th 2004 15:16 PST --
This threat has been deemed Low-Profiled due to media attention at the following site: http://www.eweek.com/article2/0,1759,1554603,00.asp
--

This threat bears similarities with W32/MyLife@MM and may be written by the same author. It seems that the author has attempted to implement an external SMTP engine, which is not fully utilized by the virus in many environments.  The virus contains bugs that prevent it from working as design on some systems.

The virus spreads as an email attachment.  Message content may be pornographic in nature.  The following list is provided for content filtering purposes.

The virus body also contains the following message:

Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too. This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).


Notes:
  • Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
  • Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.


   Sincerely
Norton AntiVirus

Symptoms

Symptoms -

When run, the virus displays a fake error message:

The virus installs itself in the WINDOWS SYSTEM directory, using a similar filename of an existing file (ie winrep.exe becomes winrep .exe) and a registry run key is created to load the file at startup:

  •  HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "(Default)" C:\WINNT\SYSTEM32\winrep .exe

A similar action is done with a directory named TEMPORARY in the WINDOWS directory:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run "ISUNINST.EXE" = C:\WINNT\TEMPORARY\ISUNINST.EXE

Other keys may also be created:

  • HKEY_CURRENT_CONFIG\Display\Fonts "(Default)" = C:\WINNT\TEMPORARY\IsUninst.exe
  • HKEY_CURRENT_CONFIG\Software\Microsoft "(Default)" = C:\WINNT\SYSTEM32\winrep .exe

The OSSMTP engine is installed in the WINDOWS SYSTEM directory:

  • c:\WINNT\system32\Ossmtp.dll (31,797 bytes)
  • c:\WINNT\system32\Oswinsck.dll (11,893 bytes)

The virus creates many copies of itself:

Method of Infection

Method of Infection -

This worm spreads through email.  It attempts to harvest addresses used by Yahoo and MSN Messenger as well as files containing the following extensions (.htm and .dbx).

It also attempts to deactivate/terminate/delete certain software.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A