W32/Mywife.A@mm
Analysis
Specifics
This intended virus is 76,060 bytes and contains bugs
which prevent it from spreading further. The virus contains
code to send itself by email, and to copy itself to
drives across a network connection - neither of these
processes function as designed. The virus makes registry
adjustments which do not matter, since the files they
reference are not created. The virus makes assumptions
about it's environment such as an dependency on two
.DLL files - OSSMTP.DLL and OSWINSCK.DLL.
Code Content
The virus contains code which suggests it will send
itself by email, and copy itself across a network connection.
The code makes reference to MPR.DLL with the intent
of enumerating networked computers in an attempt to
connect with and copy itself to those systems.
The code contains reference to deleting files from three hard-coded folders -
c:\Program Files\Trend Micro\PC-cillin 2002\*.exe
c:\Program Files\Trend Micro\PC-cillin 2003\*.exe
c:\Program Files\Trend Micro\Internet Security\*.exe
c:\Program Files\Norton Antivirus\*.exe
c:\Program Files\McAfee\McAfee\VirusScan\Vso\*.*
The code contains additional instructions to seek email addresses from various folders and files, and then construct emails in varying formats to those contacts. The emails were configured to have a body text of the following -
Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your
friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too.This Virus has the ability
to damage
the hard disk.This Virus infects computers using many
new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit
in hex (00fxf0xf10x).
Notes:
- Symantec Consumer products that support Worm
Blocking
functionality automatically detect this threat as it attempts to
spread.
- Symantec Security Response has attached a removal
tool to clean
and prevent the infections of W32.BlackWorm.A@mm.
Sincerely
Norton AntiVirus
None of the above actions were observed in testing.
Recommended Action
- Check the main screen using the web interface for your FortiGate unit to ensure that the latest AV/NIDS database has been downloaded and installed on your system - if required, enable the "Allow Push Update" option
Telemetry
Detection Availability
FortiClient | |
---|---|
Extreme | |
FortiMail | |
Extreme | |
FortiSandbox | |
Extreme | |
FortiWeb | |
Extreme | |
Web Application Firewall | |
Extreme | |
FortiIsolator | |
Extreme | |
FortiDeceptor | |
Extreme | |
FortiEDR |