Content

W32/Womble@MM

Type
Virus
SubType
E-mail worm
Discovery Date
08/25/2006
Length
78,336 bytes
Minimum DAT
4839 (08/28/2006)
Updated DAT
4983 (03/13/2007)
Minimum Engine
5.1.00
Description Added
08/25/2006
Description Modified
08/25/2006 10:53 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When W32/Womble@MM is run, it copies itself as UPDATE.EXE into the %Sysdir% folder.

It creates the following folder :

  • C:\Documents and Settings\%Username%\Local Settings\Application Data\Microsoft\WinTools\take_it

The following files are created in the above folder:

  • about_windows.jpg -  Exploit-WMF trojan that carries the worm inside. 
  • remove_spyware.exe - Just a copy of the worm itself

Please note that the files which contain the Exploit-WMF trojan are detected at least since the 4800 DATS.

 

In addition to this the worm adds the following value:

  • take_it

to the following registry key in order to share the files above.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\shares

 

Other registry keys created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run "ms_net_update" = %Sysdir%\update.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversuion\Run "ms_net_update" = %Sysdir%\update.exe

 

 

Symptoms

High increase of SMTP traffic

Presence of the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run "ms_net_update" = %Sysdir%\update.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversuion\Run "ms_net_update" = %Sysdir%\update.exe

Method of Infection

W32/Womble@MM uses it's own SMTP engine to send out the messages. 

It generates the email as follows:

From: (Spoofed email sender)

Subject: Uses any one of the following:

  • info
  • Incredible!!
  • Hi
  • important
  • !!
  • Look at this!!!
  • FIFA
  • pic
  • private
  • Beauty
  • Re:
  • Private pics
  • Olympus
  • Bush
  • Sex
  • Kiss
  • Paula
  • Miss Khan

Body: No body

Attachment: Any one of the following filenames are used:

  • firefox_update.pif.zip
  • congratulations.jpg.zip
  • your_friends.wmf.zip
  • some_info.wmf
  • your_friends.jpg

 

Files with .ZIP extensions are just the copy of the worm itself.  Those files with wither .JPG and .WMF extensions contain the Exploit-WMF  as well as the worm.

Removal

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Womble@MM is a mass mailing worm which uses Exploit-WMF to spread.

It may arrive as a ZIP archive or as a file using the following file extension:

  • JPG
  • WMF

 

Characteristics

Characteristics -

When W32/Womble@MM is run, it copies itself as UPDATE.EXE into the %Sysdir% folder.

It creates the following folder :

  • C:\Documents and Settings\%Username%\Local Settings\Application Data\Microsoft\WinTools\take_it

The following files are created in the above folder:

  • about_windows.jpg -  Exploit-WMF trojan that carries the worm inside. 
  • remove_spyware.exe - Just a copy of the worm itself

Please note that the files which contain the Exploit-WMF trojan are detected at least since the 4800 DATS.

 

In addition to this the worm adds the following value:

  • take_it

to the following registry key in order to share the files above.

  • HKEY_LOCAL_MACHINE\SYSTEM\ControlSet\Services\lanmanserver\shares

 

Other registry keys created:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run "ms_net_update" = %Sysdir%\update.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversuion\Run "ms_net_update" = %Sysdir%\update.exe

 

 

Symptoms

Symptoms -

High increase of SMTP traffic

Presence of the following registry keys:

  • HKEY_LOCAL_MACHINE\SOFTWARE\WinUpdate
  • HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Run "ms_net_update" = %Sysdir%\update.exe
  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Currentversuion\Run "ms_net_update" = %Sysdir%\update.exe

Method of Infection

Method of Infection -

W32/Womble@MM uses it's own SMTP engine to send out the messages. 

It generates the email as follows:

From: (Spoofed email sender)

Subject: Uses any one of the following:

  • info
  • Incredible!!
  • Hi
  • important
  • !!
  • Look at this!!!
  • FIFA
  • pic
  • private
  • Beauty
  • Re:
  • Private pics
  • Olympus
  • Bush
  • Sex
  • Kiss
  • Paula
  • Miss Khan

Body: No body

Attachment: Any one of the following filenames are used:

  • firefox_update.pif.zip
  • congratulations.jpg.zip
  • your_friends.wmf.zip
  • some_info.wmf
  • your_friends.jpg

 

Files with .ZIP extensions are just the copy of the worm itself.  Those files with wither .JPG and .WMF extensions contain the Exploit-WMF  as well as the worm.

Removal -

Removal -

All Users:
Use specified engine and DAT files for detection and removal.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A