Content

W32/Wuke@MM

Type
Virus
SubType
Worm
Discovery Date
12/11/2006
Length
101,376 bytes
Minimum DAT
4917 (12/12/2006)
Updated DAT
5030 (05/14/2007)
Minimum Engine
5.1.00
Description Added
12/11/2006
Description Modified
12/12/2006 2:21 AM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

When executed the worm drops copies of itself to the %WINDIR% folder with the following filenames:

  • cmd.com
  • regedit.com
  • net.com

W32/Wuke@MM infects .EXE files found on the compromised system. Such victim files will grow by 101,376 bytes. 26392 of which are prepended, the remainder are appended.

The worm often causes infected files to become corrupt such that they will not exectue properly. Repairing infected files using the latest DAT files will recover all such corruptions.

The worm also infects .HTM; .HTML; .ASP; and .ASPX files by appending HTML IFRAME tags to them. Said tags, when rendered by a web browser, will download malicious content from remote web hosts. Please view the W32/Wuke!htm description for more information.

 

The worm also drops a rootkit component to hide its running process. Please view the W32/Wuke.sys description for more information.

 

When executed, if the worm detects certain analysis tools, such as regmon; filemon; and softice it will prompt the user with a message box similar to the image below:

The worm is capable to closing such analysis applications too.

 

Symptoms

  • Presence of the aforementioned files.
  • Presence of modified, or corrupted .EXE files.
  • Precence of modified web-based files.
  • Presence of the rootkit component on disk, or in the registry.
  • Unexpected network traffic (as explained below).

Unexpected network traffic could be for one of three reasons:

  • The worm itself (whilst hidden by the rootkit) is capable of downloading other content from malicious sources. This includes the following: DDos-Rincux, PWS-Hook.dll and PWS-Gamania.dll. All malware downloaded is detected when using the latest DATs.
  • IFRAME tags added to the end of web-based files are capable of downloading malicious content from remote web hosts. The following URL is used in this variant.

http:// softd.ppandora.com/[HIDDEN]

  • NetBIOS traffic is created by the worm as it attempts to find other hosts to spread to.

Method of Infection

This worm will infect a system when it is executed by a user. It is likely to be received in an email attachment or via network shares.

Removal

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants

    N/A

All Information

Overview -

W32/Wuke@MM is a worm capable of infecting .EXE files on a compromised system, appending malicious data to some web-based files, dropping a rootkit component and spreading to other hosts via the network.

Characteristics

Characteristics -

When executed the worm drops copies of itself to the %WINDIR% folder with the following filenames:

  • cmd.com
  • regedit.com
  • net.com

W32/Wuke@MM infects .EXE files found on the compromised system. Such victim files will grow by 101,376 bytes. 26392 of which are prepended, the remainder are appended.

The worm often causes infected files to become corrupt such that they will not exectue properly. Repairing infected files using the latest DAT files will recover all such corruptions.

The worm also infects .HTM; .HTML; .ASP; and .ASPX files by appending HTML IFRAME tags to them. Said tags, when rendered by a web browser, will download malicious content from remote web hosts. Please view the W32/Wuke!htm description for more information.

 

The worm also drops a rootkit component to hide its running process. Please view the W32/Wuke.sys description for more information.

 

When executed, if the worm detects certain analysis tools, such as regmon; filemon; and softice it will prompt the user with a message box similar to the image below:

The worm is capable to closing such analysis applications too.

 

Symptoms

Symptoms -

  • Presence of the aforementioned files.
  • Presence of modified, or corrupted .EXE files.
  • Precence of modified web-based files.
  • Presence of the rootkit component on disk, or in the registry.
  • Unexpected network traffic (as explained below).

Unexpected network traffic could be for one of three reasons:

  • The worm itself (whilst hidden by the rootkit) is capable of downloading other content from malicious sources. This includes the following: DDos-Rincux, PWS-Hook.dll and PWS-Gamania.dll. All malware downloaded is detected when using the latest DATs.
  • IFRAME tags added to the end of web-based files are capable of downloading malicious content from remote web hosts. The following URL is used in this variant.

http:// softd.ppandora.com/[HIDDEN]

  • NetBIOS traffic is created by the worm as it attempts to find other hosts to spread to.

Method of Infection

Method of Infection -

This worm will infect a system when it is executed by a user. It is likely to be received in an email attachment or via network shares.

Removal -

Removal -

AVERT recommends to always use latest DATs and engine. This threat will be cleaned if you have this combination.

Additional Windows ME/XP removal considerations

Variants

Variants -

    N/A