Ads

W32.Mugly.D@mm PDF Print E-mail
Friday, 14 January 2005
W32.Mugly.D@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The worm also drops and runs a W32.Randex variant.
When W32.Mugly.D@mm is executed, it performs the following actions:.


Copies itself as %System%xxz.tmp.

Note: %System% is a variable that refers to the System folder. By default this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP).


Creates the following files:
%System%attached.zip
%System%ANSMTP.DLL (an SMTP engine)
%System%szip.dll
%System% ewyear.jpg
%System%vb6.exe (a W32.Randex variant)


Adds the value:

"vb6" = "vb6.exe"

to the following registry keys:

HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersionRun
HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsCurrentVersion
RunServices
HKEY_CURRENT_USERSoftwareMicrosoftOLE

so that the worm runs when Windows starts.


Opens a browser window and displays the file %System% ewyear.jpg. The file is an image of nude models spelling out the words "Happy New Year."


Registers its own SMTP engine by creating the following registry entries:

HKEY_CLASSES_ROOTANSMTP.MassSender
HKEY_CLASSES_ROOTANSMTP.MassSender.1
HKEY_CLASSES_ROOTANSMTP.OBJ
HKEY_CLASSES_ROOTANSMTP.OBJ.1
HKEY_CLASSES_ROOTCLSID{253664FB-EDFC-4AC6-BD69-B322F466AEED}
HKEY_CLASSES_ROOTCLSID{887A577B-406B-48FF-80CB-70752BFCD7B4}
HKEY_CLASSES_ROOTTypeLib{DE6317F7-6EF0-45C2-88D1-8E09415817F1}
HKEY_CLASSES_ROOTInterface{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}
HKEY_CLASSES_ROOTInterface{1E98666F-6260-42C9-B846-32B20FDEFE7B}
HKEY_CLASSES_ROOTInterface{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}
HKEY_CLASSES_ROOTInterface{B13281CF-8778-4C98-AE23ABBA4637A33D}


Gathers email addresses from files with the following extensions:

.wab
.adb
.tbb
.dbx
.asp
.php
.htm
.html
.sht
.txt
.doc

The worm avoids email addresses that contain the following strings:

adaware
nod32
trendmicro
avguk
grisoft
pandasoftware
sophos
.gov
symantec
lavasoft
mcafee
kaspersky


Uses its own SMTP engine (%System%ANSMTP.DLL) to send itself to email addresses gathered from the infected computer. The email has the following characteristics:

From: (one of the following)
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it
This email address is being protected from spam bots, you need Javascript enabled to view it


Message body: (one of the following)
HAPPY NEW YEAR!!!

All the best in new year from our family
here is a litle attachment to make you smile in new year
email me back haha...


MARY CHRISTMAS from our family

All the best in new year and christams from our family
i was lauging like mad when i saw it! :D


Attachment: attached.zip

The attachment is a zipped copy of the worm. It contains one of the following files:

Sexy_new_year.scr
HOT_NEW_YEAR.scr
Marry_christmas.scr
with_love.scr
From_my_hart.scr
new_year.scr
Hot_new_year.scr


May attempt to terminate various processes related to antivirus and security applications.
 
< Prev   Next >
[ Back ]