This intended virus is 76,060 bytes and contains bugs which prevent it from spreading further. The virus contains code to send itself by email, and to copy itself to drives across a network connection - neither of these processes function as designed. The virus makes registry adjustments which do not matter, since the files they reference are not created. The virus makes assumptions about it's environment such as an dependency on two .DLL files - OSSMTP.DLL and OSWINSCK.DLL.

Code Content
The virus contains code which suggests it will send itself by email, and copy itself across a network connection. The code makes reference to MPR.DLL with the intent of enumerating networked computers in an attempt to connect with and copy itself to those systems.

The code contains reference to deleting files from three hard-coded folders -

c:\Program Files\Trend Micro\PC-cillin 2002\*.exe
c:\Program Files\Trend Micro\PC-cillin 2003\*.exe
c:\Program Files\Trend Micro\Internet Security\*.exe
c:\Program Files\Norton Antivirus\*.exe
c:\Program Files\McAfee\McAfee\VirusScan\Vso\*.*

The code contains additional instructions to seek email addresses from various folders and files, and then construct emails in varying formats to those contacts. The emails were configured to have a body text of the following -

Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too.This Virus has the ability to damage
the hard disk.This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).


  • Symantec Consumer products that support Worm Blocking
    functionality automatically detect this threat as it attempts to
  • Symantec Security Response has attached a removal tool to clean
    and prevent the infections of W32.BlackWorm.A@mm.

Norton AntiVirus

None of the above actions were observed in testing.

Recommended Action

  • Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option