McAfee > Theat Center > Virus Detail Page

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Wurmark.a (Kaspersky)

• W32.Mugly.H@mm (Symantec)

• W32/Mugly.H.worm (Panda)

• W32/Wurmark-G (Sophos)

• WORM_MUGLY.I (Trend)

Characteristics

This new variant is similar to previous variants. Some of its characteristics include:

• Contains its own SMTP engine for mass mailing
• Harvests email from victim's machine
• Spoof  "From" addresses
• Drops IRC worm detected as W32/Sdbot.worm.gen.t
• Attempts to send itself through MSN messanger

Mail Propagation

Below are the various formats this virus may be sent out in:

From: (any of the below addresses)

• adead_poet@hotmail.com
• alex_edwards2000@msn.com
• romeorichard@google.com
• apiffany@cnet.com
• sexy_lil_thing@no-ip.com
• cutie_pie@ogrish.com
• easy_lay666@lovenet.com
• hunk_hogan78@hallmark.com
• britany_slut56@sex.com
• tit_****_909@gmail.com
• good_****12@yahoo.com
• blow***_lips666@romance.com
• tit_****_909@paltalk.com
• sexy_guy88@aol.com
• mucle_bound_hunk892@download.com

Subject:

• Hhahahah lol!!!!
• Your Pic On A Website!!
• You have an Admirer
• Rate My Pic.......

Body:

i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha....

I was looking at a website and came acrossthis pic they look just like you! infact im sureit is lol,did you send this pic into them? oris it someonce else :S? Ive Added the pic ina zip so download it and check& email me back!

Hi ive sent 5 emails now and nobody will ratemy pic!!:( please download and tell me what youthink out of 10, dont worry if you dont like itjust say i wont be offended p.s i was drunk when it was taken :P

Someone has asked us on there behalf to sendyou this email and tell you they think you arewonderfull!!! All the The mystery persons detailsyou need aree nclosed in the attachment:)please download and respond telling us if youwould like to make further contact with thisperson.Regards Hallmark Admirer Mail Admin.

Footer: (attached at the end of all emails)

Attachment:

• attached.zip
• Pic_001.jpg.exe
• Sexy_09.jpg.scr
• Scan_04.scr
• Photo_01.pif
• admire_001.jpg.scr
• is_this_you.jpg.scr
• love_04.scr
• for_you.pif

Symptoms

When executed, the below picture is displayed:

The virus creates the following files in the WINDOWS SYSTEM directory (such as %WinDir%\System32)

• ANSMTP.DLL 385,024 bytes - Standard SMTP mailing engine
• attached.zip 335,622 bytes - Compressed copy of the worm
• bszip.dll 62,464 bytes - Standard archive engine
• uglym.jpg 11,228 bytes - Image file
• dllman.exe 114,688 bytes - New W32/Sdbot.worm variant
• xxz.tmp 603,648 bytes - Copy of the worm

Mugly drops and executes a W32/Sdbot.worm variant, which creates the following registry key values:

• HKEY_CURRENT_USER\Software\Microsoft\OLE "virtual" = dllman.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "virtual" = dllman.exe

This worm scans the local class B subnet, sending SYN packets on TCP port 445, looking for responding systems.  In typical Sdbot fashion, the worm contains code to exploit DcomRpc vulnerabilities and LSASS.  It also can spread via accessible shares (ADMIN$, IPC$, C$, D$) and weak administrator passwords.  IP traffic to the following domain may be noticed:

• windows.gotdns.com

Method of Infection

This worm spreads via email and drops a W32/Sdbot.worm variant, which spreads via many methods.  The email worm, harvests addresses from the following files:

• .wab
• .adb
• .tbb
• .dbx
• .asp
• .php
• .htm
• .html
• .sht
• .txt
• .doc

The worm attempts to avoid sending itself to address that contain the following strings:

• ada
• nod
• icro
• avg
• gri
• panda
• soph
• sophos
• .gov
• symac
• lavat
• mcae
• rsky

A standard SMTP engine is registered on the system for the mass-mailing to occur.  The following registry braches are created as a result:

• HKEY_CLASSES_ROOT\ANSMTP.MassSender
• HKEY_CLASSES_ROOT\CLSID\{253664FB-EDFC-4AC6-BD69-B322F466AEED}
• HKEY_CLASSES_ROOT\CLSID\{887A577B-406B-48FF-80CB-70752BFCD7B4}
• HKEY_CLASSES_ROOT\Interface\{1E98666F-6260-42C9-B846-32B20FDEFE7B}
• HKEY_CLASSES_ROOT\Interface\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
• HKEY_CLASSES_ROOT\Interface\{B13281CF-8778-4C98-AE23-ABBA4637A33D}

Removal

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants

N/A

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

• Email-Worm.Win32.Wurmark.a (Kaspersky)

• W32.Mugly.H@mm (Symantec)

• W32/Mugly.H.worm (Panda)

• W32/Wurmark-G (Sophos)

• WORM_MUGLY.I (Trend)

Characteristics

Characteristics -

This new variant is similar to previous variants. Some of its characteristics include:

• Contains its own SMTP engine for mass mailing
• Harvests email from victim's machine
• Spoof  "From" addresses
• Drops IRC worm detected as W32/Sdbot.worm.gen.t
• Attempts to send itself through MSN messanger

Mail Propagation

Below are the various formats this virus may be sent out in:

From: (any of the below addresses)

• adead_poet@hotmail.com
• alex_edwards2000@msn.com
• romeorichard@google.com
• apiffany@cnet.com
• sexy_lil_thing@no-ip.com
• cutie_pie@ogrish.com
• easy_lay666@lovenet.com
• hunk_hogan78@hallmark.com
• britany_slut56@sex.com
• tit_****_909@gmail.com
• good_****12@yahoo.com
• blow***_lips666@romance.com
• tit_****_909@paltalk.com
• sexy_guy88@aol.com
• mucle_bound_hunk892@download.com

Subject:

• Hhahahah lol!!!!
• Your Pic On A Website!!
• You have an Admirer
• Rate My Pic.......

Body:

i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha....

I was looking at a website and came acrossthis pic they look just like you! infact im sureit is lol,did you send this pic into them? oris it someonce else :S? Ive Added the pic ina zip so download it and check& email me back!

Hi ive sent 5 emails now and nobody will ratemy pic!!:( please download and tell me what youthink out of 10, dont worry if you dont like itjust say i wont be offended p.s i was drunk when it was taken :P

Someone has asked us on there behalf to sendyou this email and tell you they think you arewonderfull!!! All the The mystery persons detailsyou need aree nclosed in the attachment:)please download and respond telling us if youwould like to make further contact with thisperson.Regards Hallmark Admirer Mail Admin.

Footer: (attached at the end of all emails)

Attachment:

• attached.zip
• Pic_001.jpg.exe
• Sexy_09.jpg.scr
• Scan_04.scr
• Photo_01.pif
• admire_001.jpg.scr
• is_this_you.jpg.scr
• love_04.scr
• for_you.pif

Symptoms

Symptoms -

When executed, the below picture is displayed:

The virus creates the following files in the WINDOWS SYSTEM directory (such as %WinDir%\System32)

• ANSMTP.DLL 385,024 bytes - Standard SMTP mailing engine
• attached.zip 335,622 bytes - Compressed copy of the worm
• bszip.dll 62,464 bytes - Standard archive engine
• uglym.jpg 11,228 bytes - Image file
• dllman.exe 114,688 bytes - New W32/Sdbot.worm variant
• xxz.tmp 603,648 bytes - Copy of the worm

Mugly drops and executes a W32/Sdbot.worm variant, which creates the following registry key values:

• HKEY_CURRENT_USER\Software\Microsoft\OLE "virtual" = dllman.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
  RunServices "virtual" = dllman.exe

This worm scans the local class B subnet, sending SYN packets on TCP port 445, looking for responding systems.  In typical Sdbot fashion, the worm contains code to exploit DcomRpc vulnerabilities and LSASS.  It also can spread via accessible shares (ADMIN$, IPC$, C$, D$) and weak administrator passwords.  IP traffic to the following domain may be noticed:

• windows.gotdns.com

Method of Infection

Method of Infection -

This worm spreads via email and drops a W32/Sdbot.worm variant, which spreads via many methods.  The email worm, harvests addresses from the following files:

• .wab
• .adb
• .tbb
• .dbx
• .asp
• .php
• .htm
• .html
• .sht
• .txt
• .doc

The worm attempts to avoid sending itself to address that contain the following strings:

• ada
• nod
• icro
• avg
• gri
• panda
• soph
• sophos
• .gov
• symac
• lavat
• mcae
• rsky

A standard SMTP engine is registered on the system for the mass-mailing to occur.  The following registry braches are created as a result:

• HKEY_CLASSES_ROOT\ANSMTP.MassSender
• HKEY_CLASSES_ROOT\CLSID\{253664FB-EDFC-4AC6-BD69-B322F466AEED}
• HKEY_CLASSES_ROOT\CLSID\{887A577B-406B-48FF-80CB-70752BFCD7B4}
• HKEY_CLASSES_ROOT\Interface\{1E98666F-6260-42C9-B846-32B20FDEFE7B}
• HKEY_CLASSES_ROOT\Interface\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
• HKEY_CLASSES_ROOT\Interface\{B13281CF-8778-4C98-AE23-ABBA4637A33D}

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the current engine and the specified DATs (or higher). Older engines may not be able to remove all registry keys created by this threat.

Additional Windows ME/XP removal considerations

Variants

Variants -

N/A