Content

W32/Mugly.c@MM

Type
Virus
SubType
E-mail worm
Discovery Date
12/17/2004
Length
458,752 bytes
Minimum DAT
4416 (12/22/2004)
Updated DAT
4684 (01/27/2006)
Minimum Engine
5.1.00
Description Added
12/21/2004
Description Modified
12/21/2004 5:00 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

This email worm is written in Visual Basic and bears the following characteristics:

  • contains its own SMTP engine for constructing messages
  • harvests email addresses from files on the victim machine
  • spoofs the From: address
  • overwrites the local HOSTS file
  • drops an IRC backdoor (this is detected as W32/Sdbot.worm.gen.h with the specified engine/DATs)

Mail Propagation

The worm constructs messages using its own SMTP engine, and harvests target addresses from the victim machine. The following files are searched for addresses:

  • .wab
  • .adb
  • .tbb
  • .dbx
  • .asp
  • .php
  • .htm
  • html
  • .sht
  • .txt
  • .doc

The worm does not mail itself to email addresses containing any of the following strings:

  • adaware
  • nod32
  • trendmicro
  • avguk
  • grisoft
  • pandasoftware
  • sophos
  • sophos
  • .gov
  • symantec
  • lavasoft
  • mcafee
  • kaspersky

Outgoing messages are constructed as follows:

From:
This is queried from the victim machine by a lookup to the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet
    Account Manager\Accounts\00000001\
    SMTP Email Address

If this is unsuccessful, the worm will use one of the addresses it carries:

  • tony@hotmail.com
  • mery@msn.com
  • romeorichard@google.com
  • George@cnet.com
  • michael88@hotmail.com
  • administrator@hotmail.com
  • monika666@gmail.com
  • hunky78@norton.com
  • Ales56@mcafee.com
  • tit_fuck_909@gmail.com
  • micheangelo@yahoo.com
  • angy@hotmail.com
  • britny@paltalk.com
  • goonish88@aol.com
  • george88@download.com

Subject: One of the following subject lines is used:

  1. Hhahahah lol!!!!
  2. Your Pic On A Website!!
  3. Rate My Pic.......
  4. You have an Admirer

Body: One of the following message bodies is used (matching up to the subject chosen above):

  1. i found this on my computer from ages ago
    download it and see if you can remember it
    lol i was lauging like mad when i saw it! :D
    email me back haha...
  2. I was looking at a website and came across
    this pic they look just like you! infact im sure
    it is lol did you send this pic into them ? or
    is it someonce else :S ? Ive Added the pic in
    a zip so download it and check & email me back!
  3. Hi ive sent 5 emails now and nobody will rate
    my pic!! :( please download and tell me what you
    think out of 10 dont worry if you dont like it
    just say i wont be offended p.s i was drunk when
    it was taken :P
  4. Someone has asked us on there behalf to send
    you this email and tell you they think you are
    wonderfull!!! All the The mystery persons details
    you need are enclosed in the attachment :)
    please download and respond telling us if you
    would like to make further contact with this
    person.

    Regards Hallmark Admirer Mail Admin.

Attachment: The attachment is a ZIP file, of filename ATTACHMENT.ZIP. The ZIP archive contains a copy of the worm with one of the following filenames:

  • Pic_001.exe
  • Mary-Christmas.scr
  • Hapy-new-year.scr
  • Photo_01.pif
  • admire_001.exe
  • is_this_you.scr
  • love_04.scr
  • for_you.pif

Symptoms

  • HOSTS file being overwritten redirecting the following update sites to localhost (127.0.0.1):
    • rads.mcafee.com
    • liveupdate.symantecliveupdate.com
    • update.symantec.com
    • downloads-us2.kaspersky-labs.com
    • downloads-us3.kaspersky-labs.com
    • downloads-us4.kaspersky-labs.com
    • updates3.kaspersky-labs.com
    • symantecliveupdate.com
    • symatec.com
    • downloads3.kaspersky-labs.com
    • ftp.downloads1.kaspersky-labs.com
    • liveupdate.symantec.com
    • updates1.kaspersky-labs.com
    • downloads-us1.kaspersky-labs.com
    • updates2.kaspersky-labs.com
    • downloads1.kaspersky-labs.com
    • downloads2.kaspersky-labs.com
    • ftp.downloads2.kaspersky-labs.com
    • ftp.downloads3.kaspersky-labs.com
  • outgoing messages matching the characteristics described above
  • observation of the following image (dropped and displayed by the worm):
  • existence of the files and Registry keys described in "Method of Infection" section

Method of Infection

When the worm is executed, it makes a copy of itself in %SysDir% (the Windows system directory, eg. C:\WINDOWS\SYSTEM32):

  • %SysDir%\XXZ.TMP

The following files are also dropped:

  • %SysDir%\ANSMTP.DLL (141,312 bytes - innocent SMTP library)
  • %SysDir%\attached.zip (copy of the worm within a ZIP)
  • %SysDir%\bszip.dll (34,304 bytes - innocent ZIP library)
  • %SysDir%\uglym.jpg (11,228 bytes - image file, see Symptoms section)
  • %SysDir%\winprotect.exe (231,500 bytes - dropped IRC backdoor)
  • C:\BT32.EXE another copy of the dropped IRC backdoor)

The dropped IRC backdoor is detected as W32/Sdbot.worm.gen.h  with the specified engine and DATs.

when the dropped IRC backdoor is executed it installs itself on the victim machine. The following value:

  • "virtual" = winprotect.exe

is added to the following Registry keys are modified to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\OLE

The packer that the backdoor is packed with is responsible for dropping the following file on the victim machine:

  • %SysDir%\SVKP.SYS (2,368 bytes)

This component is installed as a service on the victim machine, configuration for which is within the following Registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVKP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

The ZIP and SMTP libraries that the worm drops/uses install as COM objects on the victim machine. Configuration data within the following Registry keys is added during this:

  • HKEY_CLASSES_ROOT\ANSMTP.MassSender
  • HKEY_CLASSES_ROOT\ANSMTP.OBJ
  • HKEY_CLASSES_ROOT\CLSID\
    {253664FB-EDFC-4AC6-BD69-B322F466AEED}
  • HKEY_CLASSES_ROOT\CLSID\
    {887A577B-406B-48FF-80CB-70752BFCD7B4}
  • HKEY_CLASSES_ROOT\Interface\
    {1E98666F-6260-42C9-B846-32B20FDEFE7B}
  • HKEY_CLASSES_ROOT\Interface\
    {68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
  • HKEY_CLASSES_ROOT\Interface\
    {A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
  • HKEY_CLASSES_ROOT\Interface\
    {B13281CF-8778-4C98-AE23-ABBA4637A33D}
  • HKEY_CLASSES_ROOT\TypeLib\
    {DE6317F7-6EF0-45C2-88D1-8E09415817F1}

Users who have been infected with this worm, and who do not use such libraries for other, unrelated applications should unregister them manually.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • W32.Mugly.c@mm (Symantec)
  • W32/Wurmark-C (Sophos)
  • WORM_MUGLY.C (Trend)

Characteristics

Characteristics -

This email worm is written in Visual Basic and bears the following characteristics:

  • contains its own SMTP engine for constructing messages
  • harvests email addresses from files on the victim machine
  • spoofs the From: address
  • overwrites the local HOSTS file
  • drops an IRC backdoor (this is detected as W32/Sdbot.worm.gen.h with the specified engine/DATs)

Mail Propagation

The worm constructs messages using its own SMTP engine, and harvests target addresses from the victim machine. The following files are searched for addresses:

  • .wab
  • .adb
  • .tbb
  • .dbx
  • .asp
  • .php
  • .htm
  • html
  • .sht
  • .txt
  • .doc

The worm does not mail itself to email addresses containing any of the following strings:

  • adaware
  • nod32
  • trendmicro
  • avguk
  • grisoft
  • pandasoftware
  • sophos
  • sophos
  • .gov
  • symantec
  • lavasoft
  • mcafee
  • kaspersky

Outgoing messages are constructed as follows:

From:
This is queried from the victim machine by a lookup to the following Registry key:

  • HKEY_CURRENT_USER\Software\Microsoft\Internet
    Account Manager\Accounts\00000001\
    SMTP Email Address

If this is unsuccessful, the worm will use one of the addresses it carries:

  • tony@hotmail.com
  • mery@msn.com
  • romeorichard@google.com
  • George@cnet.com
  • michael88@hotmail.com
  • administrator@hotmail.com
  • monika666@gmail.com
  • hunky78@norton.com
  • Ales56@mcafee.com
  • tit_fuck_909@gmail.com
  • micheangelo@yahoo.com
  • angy@hotmail.com
  • britny@paltalk.com
  • goonish88@aol.com
  • george88@download.com

Subject: One of the following subject lines is used:

  1. Hhahahah lol!!!!
  2. Your Pic On A Website!!
  3. Rate My Pic.......
  4. You have an Admirer

Body: One of the following message bodies is used (matching up to the subject chosen above):

  1. i found this on my computer from ages ago
    download it and see if you can remember it
    lol i was lauging like mad when i saw it! :D
    email me back haha...
  2. I was looking at a website and came across
    this pic they look just like you! infact im sure
    it is lol did you send this pic into them ? or
    is it someonce else :S ? Ive Added the pic in
    a zip so download it and check & email me back!
  3. Hi ive sent 5 emails now and nobody will rate
    my pic!! :( please download and tell me what you
    think out of 10 dont worry if you dont like it
    just say i wont be offended p.s i was drunk when
    it was taken :P
  4. Someone has asked us on there behalf to send
    you this email and tell you they think you are
    wonderfull!!! All the The mystery persons details
    you need are enclosed in the attachment :)
    please download and respond telling us if you
    would like to make further contact with this
    person.

    Regards Hallmark Admirer Mail Admin.

Attachment: The attachment is a ZIP file, of filename ATTACHMENT.ZIP. The ZIP archive contains a copy of the worm with one of the following filenames:

  • Pic_001.exe
  • Mary-Christmas.scr
  • Hapy-new-year.scr
  • Photo_01.pif
  • admire_001.exe
  • is_this_you.scr
  • love_04.scr
  • for_you.pif

Symptoms

Symptoms -

  • HOSTS file being overwritten redirecting the following update sites to localhost (127.0.0.1):
    • rads.mcafee.com
    • liveupdate.symantecliveupdate.com
    • update.symantec.com
    • downloads-us2.kaspersky-labs.com
    • downloads-us3.kaspersky-labs.com
    • downloads-us4.kaspersky-labs.com
    • updates3.kaspersky-labs.com
    • symantecliveupdate.com
    • symatec.com
    • downloads3.kaspersky-labs.com
    • ftp.downloads1.kaspersky-labs.com
    • liveupdate.symantec.com
    • updates1.kaspersky-labs.com
    • downloads-us1.kaspersky-labs.com
    • updates2.kaspersky-labs.com
    • downloads1.kaspersky-labs.com
    • downloads2.kaspersky-labs.com
    • ftp.downloads2.kaspersky-labs.com
    • ftp.downloads3.kaspersky-labs.com
  • outgoing messages matching the characteristics described above
  • observation of the following image (dropped and displayed by the worm):
  • existence of the files and Registry keys described in "Method of Infection" section

Method of Infection

Method of Infection -

When the worm is executed, it makes a copy of itself in %SysDir% (the Windows system directory, eg. C:\WINDOWS\SYSTEM32):

  • %SysDir%\XXZ.TMP

The following files are also dropped:

  • %SysDir%\ANSMTP.DLL (141,312 bytes - innocent SMTP library)
  • %SysDir%\attached.zip (copy of the worm within a ZIP)
  • %SysDir%\bszip.dll (34,304 bytes - innocent ZIP library)
  • %SysDir%\uglym.jpg (11,228 bytes - image file, see Symptoms section)
  • %SysDir%\winprotect.exe (231,500 bytes - dropped IRC backdoor)
  • C:\BT32.EXE another copy of the dropped IRC backdoor)

The dropped IRC backdoor is detected as W32/Sdbot.worm.gen.h  with the specified engine and DATs.

when the dropped IRC backdoor is executed it installs itself on the victim machine. The following value:

  • "virtual" = winprotect.exe

is added to the following Registry keys are modified to hook system startup:

  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\RunServices
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Run
  • HKEY_CURRENT_USER\Software\Microsoft\OLE

The packer that the backdoor is packed with is responsible for dropping the following file on the victim machine:

  • %SysDir%\SVKP.SYS (2,368 bytes)

This component is installed as a service on the victim machine, configuration for which is within the following Registry keys:

  • HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SVKP
  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\SVKP

The ZIP and SMTP libraries that the worm drops/uses install as COM objects on the victim machine. Configuration data within the following Registry keys is added during this:

  • HKEY_CLASSES_ROOT\ANSMTP.MassSender
  • HKEY_CLASSES_ROOT\ANSMTP.OBJ
  • HKEY_CLASSES_ROOT\CLSID\
    {253664FB-EDFC-4AC6-BD69-B322F466AEED}
  • HKEY_CLASSES_ROOT\CLSID\
    {887A577B-406B-48FF-80CB-70752BFCD7B4}
  • HKEY_CLASSES_ROOT\Interface\
    {1E98666F-6260-42C9-B846-32B20FDEFE7B}
  • HKEY_CLASSES_ROOT\Interface\
    {68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
  • HKEY_CLASSES_ROOT\Interface\
    {A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
  • HKEY_CLASSES_ROOT\Interface\
    {B13281CF-8778-4C98-AE23-ABBA4637A33D}
  • HKEY_CLASSES_ROOT\TypeLib\
    {DE6317F7-6EF0-45C2-88D1-8E09415817F1}

Users who have been infected with this worm, and who do not use such libraries for other, unrelated applications should unregister them manually.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A