Content

W32/MyWife.d@MM!M24

Type
Virus
SubType
E-mail
Discovery Date
01/17/2006
Length
Varies
Minimum DAT
4642 (12/02/2005)
Updated DAT
4682 (01/25/2006)
Minimum Engine
5.1.00
Description Added
01/17/2006
Description Modified
02/02/2006 3:52 PM (PT)
Risk Assessment
Corporate User
Low
Home User
Low

Tab Navigation

Characteristics

-- Update Feb 2, 2006 --
 CME number assigned ( CME-24 )

This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spreads through open network shares
  • tries to lower security settings and disable security software
  • overwrites files on the 3rd of each month

E-mail Component:

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Photos
  • My photos
  • School girl fantasies gone bad
  • Part 1 of 6 Video clipe
  • *Hot Movie*
  • Re:
  • Fw: Picturs
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Fw:
  • Fwd: Crazy illegal Sex!
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: DSC-00465.jpg
  • Re: Sex Video
  • Word file
  • the file
  • eBook.pdf
  • Miss Lebanon 2006
  • A Great Video
  • give me a kiss

Body:  (Varies, such as)  

  • Note: forwarded message attached.
  • You Must View This Videoclip!
  • >> forwarded message
  • i just any one see my photos.
  • forwarded message attached.
  • Please see the file.
  • ----- forwarded message -----
  • The Best Videoclip Ever
  • Hot XXX Yahoo Groups
  • F***in Kama Sutra pics
  • ready to be F***ED ;)
  • VIDEOS! FREE! (US$ 0,00)
  • It's Free :)
  • hello,
  • i send the file.
  • bye
  • hi
  • i send the details
  • i attached the details.
  • how are you?
  • What?
  • Thank you
  • i send the details.
  • OK ?

(N.B. *** replaces content for filtering purposes)

Attachment:

The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.

The executable filename is chosen from the following list:

  • 04.pif
  • 007.pif
  • School.pif
  • photo.pif
  • DSC-00465.Pif
  • Arab sex DSC-00465.jpg
  • image04.pif
  • 677.pif
  • DSC-00465.pIf
  • New_Document_file.pif
  • eBook.PIF
  • document.pif

The MIME encoded files' name is chosen from the following list:

  • SeX.mim
  • Sex.mim
  • WinZip.BHX
  • 3.92315089702606E02.UUE
  • Attachments[001].B64
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu
  • Attachments00.HQX
  • Attachments001.BHX
  • Video_part.mim

It may also be chosen from the following list of prefaces:

  • 392315089702606E-02
  • Clipe
  • Miss
  • Sweet_09

with the following file extensions:

  • .mim
  • .HQX
  • .BHx
  • .b64
  • .uu
  • .UUE
The filename within the MIME encoded file is chosen from the following list:
  • Attachments[001],B64 .sCr
  • 392315089702606E-02,UUE .scR
  • SeX,zip .scR
  • WinZip.zip .sCR
  • ATT01.zip .sCR
  • Word.zip .sCR
  • Word XP.zip .sCR
  • New Video,zip .sCr
  • Atta[001],zip .SCR
  • Attachments,zip .SCR
  • Clipe,zip .sCr
  • WinZip,zip .scR
  • Adults_9,zip .sCR
  • Photos,zip .sCR

Installation:

When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.

  • %SysDir% \Winzip.exe
  • %SysDir% \Update.exe
  • %SysDir% \scanregw.exe
  • %WinDir% \Rundll16.exe
  • %WinDir% \winzip_tmp.exe
  • c:\winzip_tmp.exe
  • %Temp% \word.zip                                        .exe

(Where %Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM -  %WinDir% is the Windows Directory, and %Temp% is the Temp Directory)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run\ScanRegistry="scanregw.exe /scan"

The worm will go through the following directories

  • \Documents and Settings\
  • \Documents and Settings\%USERS%\My Documents\
  • \Program Files\
  • \RECYCLER\
  • \System Volume Information\
in order to place three files in each directory with the following names:
  • desktop.ini
  • Temp.Htt
  • WinZip_Tmp.exe (copy of the worm)

It will also change the system settings to "Hide Protected operating system files".

Having DESKTOP.INI and TEMP.HTT in any folder will turn it into an HTML browseable folder. DESKTOP.INI will point to TEMP.HTT as its template file that would run every time the folder is viewed. Inside TEMP.HTT, there will be another call to "WinZip_Temp.exe" to activate it in case there is not any instances of the worm currently running.

Network Share Component:

The worm will attempt to copy itself to the following shares, using the current user's authentication:

  • C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
  • Admin$\winzip_tmp.exe
  • C$\winzip_tmp.exe

The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour.  Once the 59th minute is reached, the remote computer would itself be infected  as it runs the dropped payload.

Symptoms

Security Settings Modification:

The following registry keys are modified to lower security settings:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\NotifyDownloadComplete="7562617"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\ProxyBypass="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\IntranetName="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\WebView="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\ShowSuperHidden="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\CabinetState\FullPath="0"

Registry entries under the following key are modified to disable security software:

  • SOFTWARE\Classes\Licenses

.EXE or .PPL Files found within the folders listed for the following registry entries are deleted:

  • HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk
    \VirusProtect6\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components
    \101
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab
    \InstalledProducts\Kaspersky Anti-Virus Personal
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\App Paths\Iface.exe

The worm attempts to delete the following files:

  • %ProgramFiles% \DAP\*.dll
  • %ProgramFiles% \BearShare\*.dll
  • %ProgramFiles% \Symantec\LiveUpdate\*.*
  • %ProgramFiles% \Symantec\Common Files\Symantec Shared\*.*
  • %ProgramFiles% \Norton AntiVirus\*.exe
  • %ProgramFiles% \Alwil Software\Avast4\*.exe
  • %ProgramFiles% \McAfee.com\VSO\*.exe
  • %ProgramFiles% \McAfee.com\Agent\*.*
  • %ProgramFiles% \McAfee.com\shared\*.*
  • %ProgramFiles% \Trend Micro\PC-cillin 2002\*.exe
  • %ProgramFiles% \Trend Micro\PC-cillin 2003\*.exe
  • %ProgramFiles% \Trend Micro\Internet Security\*.exe
  • %ProgramFiles% \NavNT\*.exe
  • %ProgramFiles% \Morpheus\*.dll
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
  • %ProgramFiles% \Grisoft\AVG7\*.dll
  • %ProgramFiles% \TREND MICRO\OfficeScan\*.dll
  • %ProgramFiles% \Trend Micro\OfficeScan Client\*.exe
  • %ProgramFiles% \LimeWire\LimeWire 4.2.6\LimeWire.jar

It also tries to delete files from the following locations on network shares:

  • \C$\Program Files\Norton AntiVirus
  • \C$\Program Files\Common Files\symantec shared
  • \C$\Program Files\Symantec\LiveUpdate
  • \C$\Program Files\McAfee.com\VSO
  • \C$\Program Files\McAfee.com\Agent
  • \C$\Program Files\McAfee.com\shared
  • \C$\Program Files\Trend Micro\PC-cillin 2002
  • \C$\Program Files\Trend Micro\PC-cillin 2003
  • \C$\Program Files\Trend Micro\Internet Security
  • \C$\Program Files\NavNT
  • \C$\Program Files\Panda Software\Panda Antivirus Platinum
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
  • \C$\Program Files\Panda Software\Panda Antivirus 6.0
  • \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

It monitors the internet browser for the following strings:

  • YAHOO! MAIL -
  • @YAHOOGROUPS
  • BLOCKSENDER
  • SCRIBE
  • YAHOOGROUPS
  • TREND
  • PANDA
  • SECUR
  • SPAM
  • ANTI
  • CILLIN
  • CA.COM
  • AVG
  • GROUPS.MSN
  • NOMAIL.YAHOO.COM
  • EEYE
  • MICROSOFT
  • HOTMAIL
  • MSN
  • MYWAY
  • GMAIL.COM
  • @HOTMAIL
  • @HOTPOP

The worm will close applications whose title contains one of the following strings:

  • SYMANTEC
  • SCAN
  • KASPERSKY
  • VIRUS
  • MCAFEE
  • TREND MICRO
  • NORTON
  • REMOVAL
  • FIX

The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted:

  • PCCIOMON.exe
  • pccguide.exe
  • Pop3trap.exe
  • PccPfw
  • tmproxy
  • McAfeeVirusScanService
  • NAV Agent
  • PCCClient.exe
  • SSDPSRV
  • rtvscn95
  • defwatch
  • vptray
  • ScanInicio
  • APVXDWIN
  • KAVPersonal50
  • kaspersky
  • TM Outbreak Agent
  • AVG7_Run
  • AVG_CC
  • Avgserv9.exe
  • AVGW
  • AVG7_CC
  • AVG7_EMC
  • Vet Alert
  • VetTray
  • OfficeScanNT Monitor
  • avast!
  • DownloadAccelerator
  • BearShare

Date Activated Payload

On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text "DATA Error [47 0F 94 93 F4 K5]":

  • DOC
  • XLS
  • MDB
  • MDE
  • PPT
  • PPS
  • ZIP
  • RAR
  • PDF
  • PSD
  • DMP

Testing confirms that this payload does not affect mapped network drives.

Infection Counter

Whenever a machine is initially infected, the worm connects to a website to increment a counter:

  • webstats.web.rcn.net/cgi-bin/Count.cgi [censored]

Tray Icon

The worm adds an icon in the systray, displaying the string "Update Please wait" if one of these folders have be found in %Program Files% :

  • Norton Antivirus
  • Kaspersky Lab
  • Panda Software

Method of Infection

This worm tries to spread via email and by copying itself to local shares.

The mailing component harvests address from the local system.  Files with the following strings are targeted:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF
  • CONTENT.
  • TEMPORARY

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants

  • W32/MyWife.e@MM

All Information

Overview -

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.

Aliases

  • CME-24
  • Kama Sutra
  • Nyxem.E (F-Secure)
  • W32.Blackmal.E@mm (NAV)
  • W32/Grew.A!wm (Fortinet)
  • W32/Kapser.A@mm (F-Prot)
  • W32/MyWife.d@MM
  • W32/MyWife.d@MM!M24
  • W32/Nyxem-D (Sophos)
  • W32/Tearec.A.worm (Panda)
  • Win32/Blackmal.F (Vet)
  • WORM_GREW.A (Trend)

Characteristics

Characteristics -

-- Update Feb 2, 2006 --
 CME number assigned ( CME-24 )

This worm is proactively detected by 4642 and higher DATs as W32/Generic.worm!p2p. 4677 and higher DATs will detect this specifically as W32/MyWife.d@MM

This is a mass-mailing worm that bears the following characteristics:

  • contains its own SMTP engine to construct outgoing messages
  • spreads through open network shares
  • tries to lower security settings and disable security software
  • overwrites files on the 3rd of each month

E-mail Component:

The virus arrives in an email message as follows:

From: (Spoofed email sender)

Do not assume that the sender address is an indication that the sender is infected.  Additionally you may receive alert messages from a mail server that you are infected, which may not be the case.

Subject: (Varies, such as)

  • Photos
  • My photos
  • School girl fantasies gone bad
  • Part 1 of 6 Video clipe
  • *Hot Movie*
  • Re:
  • Fw: Picturs
  • Fw: Funny :)
  • Fwd: Photo
  • Fwd: image.jpg
  • Fw: Sexy
  • Fw:
  • Fwd: Crazy illegal Sex!
  • Fw: Real show
  • Fw: SeX.mpg
  • Fw: DSC-00465.jpg
  • Re: Sex Video
  • Word file
  • the file
  • eBook.pdf
  • Miss Lebanon 2006
  • A Great Video
  • give me a kiss

Body:  (Varies, such as)  

  • Note: forwarded message attached.
  • You Must View This Videoclip!
  • >> forwarded message
  • i just any one see my photos.
  • forwarded message attached.
  • Please see the file.
  • ----- forwarded message -----
  • The Best Videoclip Ever
  • Hot XXX Yahoo Groups
  • F***in Kama Sutra pics
  • ready to be F***ED ;)
  • VIDEOS! FREE! (US$ 0,00)
  • It's Free :)
  • hello,
  • i send the file.
  • bye
  • hi
  • i send the details
  • i attached the details.
  • how are you?
  • What?
  • Thank you
  • i send the details.
  • OK ?

(N.B. *** replaces content for filtering purposes)

Attachment:

The files attached to the email may either be the executable itself or a MIME encoded file which contains the executable.

The executable filename is chosen from the following list:

  • 04.pif
  • 007.pif
  • School.pif
  • photo.pif
  • DSC-00465.Pif
  • Arab sex DSC-00465.jpg
  • image04.pif
  • 677.pif
  • DSC-00465.pIf
  • New_Document_file.pif
  • eBook.PIF
  • document.pif

The MIME encoded files' name is chosen from the following list:

  • SeX.mim
  • Sex.mim
  • WinZip.BHX
  • 3.92315089702606E02.UUE
  • Attachments[001].B64
  • eBook.Uu
  • Word_Document.hqx
  • Word_Document.uu
  • Attachments00.HQX
  • Attachments001.BHX
  • Video_part.mim

It may also be chosen from the following list of prefaces:

  • 392315089702606E-02
  • Clipe
  • Miss
  • Sweet_09

with the following file extensions:

  • .mim
  • .HQX
  • .BHx
  • .b64
  • .uu
  • .UUE
The filename within the MIME encoded file is chosen from the following list:
  • Attachments[001],B64 .sCr
  • 392315089702606E-02,UUE .scR
  • SeX,zip .scR
  • WinZip.zip .sCR
  • ATT01.zip .sCR
  • Word.zip .sCR
  • Word XP.zip .sCR
  • New Video,zip .sCr
  • Atta[001],zip .SCR
  • Attachments,zip .SCR
  • Clipe,zip .sCr
  • WinZip,zip .scR
  • Adults_9,zip .sCR
  • Photos,zip .sCR

Installation:

When this file is run, it copies itself to the Windows System directory as one or more of the following filenames.

  • %SysDir% \Winzip.exe
  • %SysDir% \Update.exe
  • %SysDir% \scanregw.exe
  • %WinDir% \Rundll16.exe
  • %WinDir% \winzip_tmp.exe
  • c:\winzip_tmp.exe
  • %Temp% \word.zip                                        .exe

(Where %Sysdir% is the Windows System directory - for example C:\WINDOWS\SYSTEM -  %WinDir% is the Windows Directory, and %Temp% is the Temp Directory)

It creates the following registry entry to hook Windows startup:

  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Run\ScanRegistry="scanregw.exe /scan"

The worm will go through the following directories

  • \Documents and Settings\
  • \Documents and Settings\%USERS%\My Documents\
  • \Program Files\
  • \RECYCLER\
  • \System Volume Information\
in order to place three files in each directory with the following names:
  • desktop.ini
  • Temp.Htt
  • WinZip_Tmp.exe (copy of the worm)

It will also change the system settings to "Hide Protected operating system files".

Having DESKTOP.INI and TEMP.HTT in any folder will turn it into an HTML browseable folder. DESKTOP.INI will point to TEMP.HTT as its template file that would run every time the folder is viewed. Inside TEMP.HTT, there will be another call to "WinZip_Temp.exe" to activate it in case there is not any instances of the worm currently running.

Network Share Component:

The worm will attempt to copy itself to the following shares, using the current user's authentication:

  • C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
  • Admin$\winzip_tmp.exe
  • C$\winzip_tmp.exe

The worm creates scheduled tasks on the remote computer to run winzip_tmp.exe during the 59th minute of every hour.  Once the 59th minute is reached, the remote computer would itself be infected  as it runs the dropped payload.

Symptoms

Symptoms -

Security Settings Modification:

The following registry keys are modified to lower security settings:

  • HKEY_CURRENT_USER\SOFTWARE\Microsoft\Internet Explorer\Main\NotifyDownloadComplete="7562617"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\UNCAsIntranet="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\ProxyBypass="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Internet Settings\ZoneMap\IntranetName="1"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\WebView="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \Currentversion\Explorer\Advanced\ShowSuperHidden="0"
  • HKEY_CURRENT_USER\Software\Microsoft\Windows
    \CurrentVersion\Explorer\CabinetState\FullPath="0"

Registry entries under the following key are modified to disable security software:

  • SOFTWARE\Classes\Licenses

.EXE or .PPL Files found within the folders listed for the following registry entries are deleted:

  • HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk
    \VirusProtect6\CurrentVersion
  • HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab\Components
    \101
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum
  • HKEY_LOCAL_MACHINE\Software\KasperskyLab
    \InstalledProducts\Kaspersky Anti-Virus Personal
  • HKEY_LOCAL_MACHINE\Software\Microsoft\Windows
    \CurrentVersion\App Paths\Iface.exe

The worm attempts to delete the following files:

  • %ProgramFiles% \DAP\*.dll
  • %ProgramFiles% \BearShare\*.dll
  • %ProgramFiles% \Symantec\LiveUpdate\*.*
  • %ProgramFiles% \Symantec\Common Files\Symantec Shared\*.*
  • %ProgramFiles% \Norton AntiVirus\*.exe
  • %ProgramFiles% \Alwil Software\Avast4\*.exe
  • %ProgramFiles% \McAfee.com\VSO\*.exe
  • %ProgramFiles% \McAfee.com\Agent\*.*
  • %ProgramFiles% \McAfee.com\shared\*.*
  • %ProgramFiles% \Trend Micro\PC-cillin 2002\*.exe
  • %ProgramFiles% \Trend Micro\PC-cillin 2003\*.exe
  • %ProgramFiles% \Trend Micro\Internet Security\*.exe
  • %ProgramFiles% \NavNT\*.exe
  • %ProgramFiles% \Morpheus\*.dll
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
  • %ProgramFiles% \Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
  • %ProgramFiles% \Grisoft\AVG7\*.dll
  • %ProgramFiles% \TREND MICRO\OfficeScan\*.dll
  • %ProgramFiles% \Trend Micro\OfficeScan Client\*.exe
  • %ProgramFiles% \LimeWire\LimeWire 4.2.6\LimeWire.jar

It also tries to delete files from the following locations on network shares:

  • \C$\Program Files\Norton AntiVirus
  • \C$\Program Files\Common Files\symantec shared
  • \C$\Program Files\Symantec\LiveUpdate
  • \C$\Program Files\McAfee.com\VSO
  • \C$\Program Files\McAfee.com\Agent
  • \C$\Program Files\McAfee.com\shared
  • \C$\Program Files\Trend Micro\PC-cillin 2002
  • \C$\Program Files\Trend Micro\PC-cillin 2003
  • \C$\Program Files\Trend Micro\Internet Security
  • \C$\Program Files\NavNT
  • \C$\Program Files\Panda Software\Panda Antivirus Platinum
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
  • \C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
  • \C$\Program Files\Panda Software\Panda Antivirus 6.0
  • \C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus

It monitors the internet browser for the following strings:

  • YAHOO! MAIL -
  • @YAHOOGROUPS
  • BLOCKSENDER
  • SCRIBE
  • YAHOOGROUPS
  • TREND
  • PANDA
  • SECUR
  • SPAM
  • ANTI
  • CILLIN
  • CA.COM
  • AVG
  • GROUPS.MSN
  • NOMAIL.YAHOO.COM
  • EEYE
  • MICROSOFT
  • HOTMAIL
  • MSN
  • MYWAY
  • GMAIL.COM
  • @HOTMAIL
  • @HOTPOP

The worm will close applications whose title contains one of the following strings:

  • SYMANTEC
  • SCAN
  • KASPERSKY
  • VIRUS
  • MCAFEE
  • TREND MICRO
  • NORTON
  • REMOVAL
  • FIX

The values in the list below are deleted from Registry Run and Runservices keys, to prevent them from being restarted:

  • PCCIOMON.exe
  • pccguide.exe
  • Pop3trap.exe
  • PccPfw
  • tmproxy
  • McAfeeVirusScanService
  • NAV Agent
  • PCCClient.exe
  • SSDPSRV
  • rtvscn95
  • defwatch
  • vptray
  • ScanInicio
  • APVXDWIN
  • KAVPersonal50
  • kaspersky
  • TM Outbreak Agent
  • AVG7_Run
  • AVG_CC
  • Avgserv9.exe
  • AVGW
  • AVG7_CC
  • AVG7_EMC
  • Vet Alert
  • VetTray
  • OfficeScanNT Monitor
  • avast!
  • DownloadAccelerator
  • BearShare

Date Activated Payload

On the 3rd day of any month, approximately 30 minutes after an infected system is started, the worm overwrites files on local drives with the following extensions with the text "DATA Error [47 0F 94 93 F4 K5]":

  • DOC
  • XLS
  • MDB
  • MDE
  • PPT
  • PPS
  • ZIP
  • RAR
  • PDF
  • PSD
  • DMP

Testing confirms that this payload does not affect mapped network drives.

Infection Counter

Whenever a machine is initially infected, the worm connects to a website to increment a counter:

  • webstats.web.rcn.net/cgi-bin/Count.cgi [censored]

Tray Icon

The worm adds an icon in the systray, displaying the string "Update Please wait" if one of these folders have be found in %Program Files% :

  • Norton Antivirus
  • Kaspersky Lab
  • Panda Software

Method of Infection

Method of Infection -

This worm tries to spread via email and by copying itself to local shares.

The mailing component harvests address from the local system.  Files with the following strings are targeted:

  • .HTM
  • .DBX
  • .EML
  • .MSG
  • .OFT
  • .NWS
  • .VCF
  • .MBX
  • .IMH
  • .TXT
  • .MSF
  • CONTENT.
  • TEMPORARY

Removal -

Removal -

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

Additional Windows ME/XP removal considerations

Variants

Variants -

  • W32/MyWife.e@MM