Virus:Worm/Womble.A
Date discovered:29/08/2006
Type:Worm
In the wild:Yes
Reported Infections:Medium
Distribution Potential:Medium to high
Damage Potential:Medium
Static file:No
File size:79.360 Bytes
VDF version:6.35.01.156
IVDF version:6.35.01.159 - Wednesday, August 30, 2006
Heuristic:HEUR/Crypted.Patched

 General Methods of propagation:
   • Email
   • Local network


Aliases:
   •  Symantec: W32.Womble.A@mm
   •  Kaspersky: Email-Worm.Win32.Womble.a
   •  TrendMicro: WORM_WOMBLE.A
   •  Sophos: W32/Womble-B
   •  VirusBuster: iworm I-Worm.Womble.A
   •  Bitdefender: Win32.Womble.A@mm


Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003


Side effects:
   • Drops malicious files
   • Uses its own Email engine
   • Registry modification
   • Makes use of software vulnerability
   • Third party control




   %text1%:
   -about_windows
   -antispam
   -congratulations
   -firefox_update
   -free_anti_spyware
   -free_antivirus
   -google_info
   -google_tool
   -google_update
   -ie_update
   -java_update
   -inet
   -mail_control
   -mails_list
   -ms_office_update
   -net_update
   -new_picture
   -new_win_patch
   -picture
   -remove_spyware
   -some_info
   -www
   -yahoo_info
   -yahoo_tool
   -your_friends
   
   %text2%:
   -dvd
   -dvd_info
   -free
   -h_core
   -l_this
   -lunch
   -mp3
   -new_mp3
   -new_video
   -photo
   -sh_docs
   -take_it
   -video
   -xxx

 Files It copies itself to the following locations:
   • %SYSDIR%\%executed file%
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\%text2%\%text1%.exe
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\%text2%\%text1%.pif
   • \\%computers in current domain%\%network shares%\%text1%.exe
   • \\%computers in current domain%\%network shares%\%text1%.pif



The following files are created:

– %HOME%\Local Settings\Application Data\Microsoft\WinTools\%text2%\%text1%.wmf Further investigation pointed out that this file is malware, too. Detected as: EXP/MS06-001.WMF

– %HOME%\Local Settings\Application Data\Microsoft\WinTools\%text2%\%text1%.jpg Further investigation pointed out that this file is malware, too. Detected as: EXP/MS06-001.WMF

– \\%computers in current domain%\%network shares%\%text1%.wmf Further investigation pointed out that this file is malware, too. Detected as: EXP/MS06-001.WMF

– \\%computers in current domain%\%network shares%\%text1%.jpg Further investigation pointed out that this file is malware, too. Detected as: EXP/MS06-001.WMF

 Registry The following registry keys are added in order to run the processes after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   • "Shell"="Explorer.exe %empty spaces% %SYSDIR%\%executed file%"
   • "Userinit"="%SYSDIR%\userinit.exe %empty spaces% ,%SYSDIR%\%executed file%"

– [HKCU\Software\Microsoft\Windows\CurrentVersion\Run]
   • "ms_net_update"="%SYSDIR%\%executed file%"

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • "ms_net_update"="%SYSDIR%\%executed file%"



The following registry keys are added:

– [HKLM\SYSTEM\CurrentControlSet\Services\lanmanserver\Shares]
   • "%text2%"=
"CSCFlags=0
MaxUses=1000
Path=%HOME%\Local Settings\Application Data\Microsoft\WinTools\%text2%
Permissions=127
Type=0"

– [HKLM\SOFTWARE\WinUpdate]
   • "Version"=dword:00000003

 Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is the user's Outlook account.


To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)


Subject:
One of the following:
   • !!; Action; Bush; FIFA; Helo; Hi; important; Incredible!!; info; Kiss;
      Laura; Laura and John; Lola; Look at this!!!; Miss Khan; Nataly; Ola;
      Olympus; Paula; pic; pics; private; private pics; Re:; Re: hi; Re:
      info; RE: pic; read this; Robert; Sex



Body:
The body of the email is one of the following:

   • ---------------------------------------------------
     
     There is some info in the attached file !!!
     
     ---------------------------------------------------
     

   • -----------------------------
     
     Zip P A S S : %nine-digit random character string%
     
     -----------------------------
     


Attachment:
The filenames of the attachments is constructed out of the following:

–  It starts with one of the following:
   • %text%

Continued by one of the following:
   • exe
   • pif

    Continued by one of the following:
   • zip

–  It starts with one of the following:
   • %text1%

Continued by one of the following:
   • exe
   • jpg
   • pif
   • wmf

    Continued by one of the following:
   • passw
   • psw

    Continued by one of the following fake extensions:
   • zip

The attachment is an archive containing a copy of the malware itself.

The attachment is a copy of the created file: %text1%.jpg; %text1%.wmf



The email may look like one of the following:



 Backdoor Contact server:
All of the following:
   • http://support.365soft.info/**********
   • http://support.365soft.info/**********
   • http://support.software602.com/**********
   • http://support.software602.com/**********
   • http://anyproxy.net/**********
   • http://anyproxy.net/**********
   • http://support.enviroweb.org/**********
   • http://support.enviroweb.org/**********
   • http://support.nikontech.com/**********
   • http://support.nikontech.com/**********
   • http://email-support.seekful.com/**********
   • http://email-support.seekful.com/**********
   • http://mymail.100hotmail.com/**********
   • http://mymail.100hotmail.com/**********

As a result it may send information and remote control could be provided. This is done via the HTTP GET request on a PHP script.


Sends information about:
    • Current malware status


Remote control capabilities:
    • Download file

 Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • *.GTLD-SERVERS.net
   • *.root-servers.net
   • *.DE.NET
   • *.NIC.DE


Checks for an internet connection by contacting the following web site:
   • http://www.sun.com/index.html


Mutex:
It creates the following Mutex:
   • wmf.mtx.3

 File details Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with the following runtime packer:
   • UPX

Description inserted by Andrei Ivanes on Tuesday, August 29, 2006
Description updated by Andrei Ivanes on Thursday, August 31, 2006

Back . . . .