Ads W32.Mugly.F@mm Friday, 14 January 2005 W32.Mugly.F@mm is a worm that uses its own SMTP engine to spread by sending itself as an email attachment to addresses gathered from the compromised computer. The worm also drops and runs a W32.Spybot.Worm variant. Type: Worm Infection Length: 345,600 bytes Systems Affected: Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, Windows XP When W32.Mugly.F@mm is executed, it performs the following actions: Copies itself as %System%xxz.tmp. Note: %System% is a variable that refers to the System folder. By default, this is C:WindowsSystem (Windows 95/98/Me), C:WinntSystem32 (Windows NT/2000), or C:WindowsSystem32 (Windows XP). Drops and runs a W32.Spybot.Worm variant using one of the following file names: VB6.EXE adaware.exe adware.exe bt32.exe lexplore.exe winprotectt.exe Creates the following files, which are not viral: %System%ANSMTP.DLL(SMTP engine) %System%uglym.jpg %System%szip.dll Opens a browser window to display the file %System%uglym.jpg. Gathers email addresses from files with the following extensions: .adb .asp .dbx .doc .htm .html .php .sht .tbb .txt .wab The worm avoids email addresses that contain the following strings: .gov adaware avguk grisoft kaspersky lavasoft mcafee nod32 pandasoftware sophos symantec trendmicro Registers its own SMTP engine by creating the following registry entries: HKEY_CLASSES_ROOTANSMTP.MassSender HKEY_CLASSES_ROOTANSMTP.OBJ HKEY_CLASSES_ROOTCLSID{253664FB-EDFC-4AC6-BD69-B322F466AEED} HKEY_CLASSES_ROOTCLSID{887A577B-406B-48FF-80CB-70752BFCD7B4} HKEY_CLASSES_ROOTInterface{1E98666F-6260-42C9-B846-32B20FDEFE7B} HKEY_CLASSES_ROOTInterface{68B8DCDB-EFA4-420A-BB8A-71B9892A2063} HKEY_CLASSES_ROOTInterface{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8} HKEY_CLASSES_ROOTInterface{B13281CF-8778-4C98-AE23-ABBA4637A33D} Adds the value: "upme" = "lexplore.exe" to the registry keys: HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRun HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrentVersionRunServices HKEY_CURRENT_USERSoftwareMicrosoftOLE so that the W32.Spybot.Worm variant is executed every time Windows starts, if its filename is lexplore.exe. Uses its own SMTP engine (%System%ANSMTP.DLL) to send itself to email addresses gathered from the infected computer. The email has the following characteristics: From: The worm attempts to query the registry key, HKEY_CURRENT_USERSoftwareMicrosoftInternet Account ManagerAccounts0000001SMTP Email Address, to obtain a From address. The worm will use one of the following addresses as the From address if it is unsuccessful in the above query: adead_poet@hotmail.com alex_edwards2000@msn.com apiffany@cnet.com blowjob_lips666@romance.com britany_slut56@sex.com cutie_pie@ogrish.com easy_lay666@lovenet.com good_fuck12@yahoo.com hunk_hogan78@hallmark.com mucle_bound_hunk892@download.com romeorichard@google.com sexy_guy88@aol.com sexy_lil_thing@no-ip.com tit_fuck_909@gmail.com tit_fuck_909@paltalk.com Subject: (One of the following) Hhahahah lol!!!! Your Pic On A Website!! You have an Admirer Rate My Pic....... Message: (One of the following) i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha... I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :P Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person. Regards Hallmark Admirer Mail Admin. Attachment: attached.zip The attachment is a zipped copy of the worm. It contains one of the following files: Photo_01.jpg.scr Pic_001.jpg.scr Scan_04.jpg.scr Sexy_09.jpg.scr admire_001.jpg.scr for_you.jpg.scr is_this_you.jpg.scr love_04.jpg.scr   < Prev   Next > [ Back ]

Main Menu SpamAlerts | Windows | Linux | Tutorials | Excell | WhitePapers | News | Spam | Virus Windows Focus VNews Vulnerability Hacking Sql Injection map Downloads Affiliates Online Store Free Ringtones Seo Directory IWebListin Jobs in India Freshers Jobs listings. Winkeyfinder

Copyright 2005-2007 SpamAlertz.com, Content on this site is From variuos other emails, and Advisories.