VirusW32/MyWife.D@mm
Analysis
This virus sends itself to others using an SMTP component. The component is the SMTP component created by a company named Ostrosoft and is not malicious by itself.
If the virus runs, it could terminate processes and applications, and copy itself as numerous files onto the local system. The virus seeks email addresses by scanning files for valid email address constructions. Emails gathered are targets for the virus, and a varied message is created per email address. These are some of the subject lines used by the virus -
Subjects:
Please Read
Hello
Important
Message bodies:
Please reactive now.
Thanks
Please reactive now
Thank you
reactive now
For all Members repit the reactive one time.
Loading at Windows Startup
This virus will write itself to different paths and register itself to load at each Windows startup -
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\
"TWUNK_32.EXE" = C:\WINNT\VOLUME\TWUNK_32.EXE
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Active Setup\
"Security" = C:\WINNT\SYSTEM32\winhelpm.exe
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\
"(Default)" = C:\WINNT\VOLUME\TWUNK_32.EXE
The virus adds additional entries to the registry as a marker that it has infected the system -
HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\caution\
"NoBetaMessage" = 1
HKEY_CURRENT_USER\Software\Nico Mak Computing\WinZip\WinIni\
"Name" = BlackWorm
"SN" = 2AD00ED6
Process Termination
This virus may terminate services and processes which have a string match to any name in this list -
au.exe
ccApp
defwatch
Explorer
gigabit.exe
KasperskyAv
McAfeeVirusScanService
MCAgentExe
McRegWiz
MCUpdateExe
McVsRte
msgsvr32
NAV Agent
Norton Antivirus AV
NPROTECT
PCCClient.exe
pccguide.exe
PCCIOMON.exe
PCClient.exe
PccPfw
rtvscn95
ScriptBlocking
Sentry
ssate.exe
SSDPSRV
sysinfo.exe
system.
Taskmon
tmproxy
VirusScan Online
VSOCheckTask
Windows Services Host
Winsock2 driver
winupd.exe
File Deletion Payload
Code within the virus suggests it could delete files in these folders -
C:\Program Files\NavNT\*.exe
C:\Program Files\Symantec\LiveUpdate\*.*
C:\Program Files\Norton AntiVirus\*.exe
C:\Program Files\McAfee\McAfee VirusScan\Vso\*.*
C:\Program Files\Trend Micro\PC-cillin 2002\*.exe
C:\Program Files\Trend Micro\PC-cillin 2003\*.exe
C:\Program Files\Trend Micro\Internet Security\*.exe
Miscellaneous
This virus contains an embedded and unsympathetic poem directed towards Bill Gates, founder of Microsoft - the text is written as the file
C:\WINNT\system32\About_BlackWorm.C.txt -
my MS gay
i got a bill to pay
n i wonder wut to say
but ll i know is wut i know
billy bo! aint got no mo
shyt to do
from this day
GoOd ByE MicroGates
Made byMyLife
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
| FortiClient | |
|---|---|
| Extreme | |
| FortiMail | |
| Extreme | |
| FortiSandbox | |
| Extreme | |
| FortiWeb | |
| Extreme | |
| Web Application Firewall | |
| Extreme | |
| FortiIsolator | |
| Extreme | |
| FortiDeceptor | |
| Extreme | |
| FortiEDR |