Content

W32/MyWife.c@MM

Type
Virus
SubType
Internet Worm
Discovery Date
09/06/2004
Length
72,874 Bytes
Minimum DAT
4390 (09/08/2004)
Updated DAT
4684 (01/27/2006)
Minimum Engine
5.1.00
Description Added
09/06/2004
Description Modified
09/21/2004 11:04 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This is a mass-mailing with the following characteristics::

  • On execution, the worm opens the Windows Media Player. The player does not play any file
  • Drops various files as listed below
  • Changes registration name of WinZip if it is locally installed on the machine
  • Blocks various AV software from starting by deleting their registry keys
  • Changes the local telnet service to automatically start
  • Copies itself to systems that have open shares

From examination of the mass-mailing worm, it can be seen that this is intended to be a mass-mailing virus, however under testing AVERT has been unable to reproduce this behaviour, possibly due to a flaw in the program.

The following files are dropped:

  • %WinDir% \Task.exe
  • %WinDir% \system32\About_BlackWorm.C.txt
  • %WinDir% \system32\Connection.exe
  • %WinDir% \system32\Life.jpg
  • %WinDir% \system32\movie_05.MP3____________.exe
  • %WinDir% \system32\movie009.pif
  • %WinDir% \system32\NOTEPADm.exe
  • %WinDir% \system32\Old_Password.baT
  • %WinDir% \system32\OSSMTP.DLL
  • %WinDir% \system32\PaltlkRoom.wav___________.scr
  • %WinDir% \system32\sound_223.mp3___________.scr
  • %WinDir% \system32\The_Members.PIF
  • %WinDir% \system32\Video_live.mpg____________.exe
  • %WinDir% \system32\yahoo.PIF
  • %WinDir% \VOLUME\NOTEPAD.EXE
  • C:\Program Files\Internet Explorer\Media Player.exe
  • %SysDir% \About_BlackWorm.C.txt" (harmless ASCII file)

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "NOTEPAD.EXE" = C:\WINNT\VOLUME\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "(Default)" = C:\WINNT\VOLUME\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup "Security" = C:\WINNT\SYSTEM32\NOTEPADm.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr "Start" REG_DWORD = 02, 00, 00, 00

Attempts to disable various AV software from starting by deleting the following registry entries (if present):

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\NPROTECT
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\NPROTECT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\ccApp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\ccApp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\ScriptBlocking
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\ScriptBlocking
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\MCUpdateExe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\MCUpdateExe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\VirusScan Online\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\VirusScan Online
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\MCAgentExe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\MCAgentExe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\VSOCheckTask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\VSOCheckTask
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\McRegWiz
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\McRegWiz
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\McVsRte
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\McVsRte
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PCClient.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PCClient.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PCCIOMON.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PCCIOMON.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\pccguide.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\pccguide.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PccPfw
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PccPfw

If WinZIP is installed on the local machine, the worm changes the name of the registred user and the serial number to the following:

  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "Name" = BlackWorm
  •  HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "SN" = 2AD00ED6

Symptoms

  • Launches the Windows Media Player upon execution, however nothing plays 

  • Presence of files as listed above
  • HTTP traffic to http://webstats.web.rcn.net/

Method of Infection

This worm will infect a system when it is executed by a user. It is likely to be received in an email attachment or via network shares. When run, the file copies itself locally using many enticing filenames.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Blackmal.C@mm (Symantec)
  • W32/Mywife.C.worm (Panda)
  • W32/Mywife.D.worm (Panda)
  • W32/Nyxem-C (Sophos)
  • Win32.Blackmal.C (CA)
  • Win32.Blackmal.D (CA)
  • WORM_BLUEWORM.D (Trend)
  • WORM_BLUEWORM.F (Trend)

Characteristics

Characteristics -

This is a mass-mailing with the following characteristics::

  • On execution, the worm opens the Windows Media Player. The player does not play any file
  • Drops various files as listed below
  • Changes registration name of WinZip if it is locally installed on the machine
  • Blocks various AV software from starting by deleting their registry keys
  • Changes the local telnet service to automatically start
  • Copies itself to systems that have open shares

From examination of the mass-mailing worm, it can be seen that this is intended to be a mass-mailing virus, however under testing AVERT has been unable to reproduce this behaviour, possibly due to a flaw in the program.

The following files are dropped:

  • %WinDir% \Task.exe
  • %WinDir% \system32\About_BlackWorm.C.txt
  • %WinDir% \system32\Connection.exe
  • %WinDir% \system32\Life.jpg
  • %WinDir% \system32\movie_05.MP3____________.exe
  • %WinDir% \system32\movie009.pif
  • %WinDir% \system32\NOTEPADm.exe
  • %WinDir% \system32\Old_Password.baT
  • %WinDir% \system32\OSSMTP.DLL
  • %WinDir% \system32\PaltlkRoom.wav___________.scr
  • %WinDir% \system32\sound_223.mp3___________.scr
  • %WinDir% \system32\The_Members.PIF
  • %WinDir% \system32\Video_live.mpg____________.exe
  • %WinDir% \system32\yahoo.PIF
  • %WinDir% \VOLUME\NOTEPAD.EXE
  • C:\Program Files\Internet Explorer\Media Player.exe
  • %SysDir% \About_BlackWorm.C.txt" (harmless ASCII file)

The following registry keys are created:

  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run
    "NOTEPAD.EXE" = C:\WINNT\VOLUME\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\
    CurrentVersion\Run
    "(Default)" = C:\WINNT\VOLUME\NOTEPAD.EXE
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup "Security" = C:\WINNT\SYSTEM32\NOTEPADm.exe
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\TlntSvr "Start" REG_DWORD = 02, 00, 00, 00

Attempts to disable various AV software from starting by deleting the following registry entries (if present):

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\NPROTECT
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\NPROTECT
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\ccApp
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\ccApp
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\ScriptBlocking
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\ScriptBlocking
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\MCUpdateExe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\MCUpdateExe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\VirusScan Online\
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\VirusScan Online
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\MCAgentExe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\MCAgentExe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\VSOCheckTask
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\VSOCheckTask
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\McRegWiz
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\McRegWiz
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\McVsRte
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\McVsRte
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PCClient.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PCClient.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PCCIOMON.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PCCIOMON.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\pccguide.exe
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\pccguide.exe
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\
    CurrentVersion\Run\PccPfw
  • HKEY_CURRENT_USER\Software\Microsoft\Windows\
    CurrentVersion\Run\PccPfw

If WinZIP is installed on the local machine, the worm changes the name of the registred user and the serial number to the following:

  • HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "Name" = BlackWorm
  •  HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni "SN" = 2AD00ED6

Symptoms

Symptoms -

  • Launches the Windows Media Player upon execution, however nothing plays 

  • Presence of files as listed above
  • HTTP traffic to http://webstats.web.rcn.net/

Method of Infection

Method of Infection -

This worm will infect a system when it is executed by a user. It is likely to be received in an email attachment or via network shares. When run, the file copies itself locally using many enticing filenames.

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A