Full description

Virus:	Worm/Womble.D
Date discovered:	12/09/2006
Type:	Worm
In the wild:	Yes
Reported Infections:	Low to medium
Distribution Potential:	Medium to high
Damage Potential:	Medium
Static file:	Yes
File size:	83.456 Bytes
MD5 checksum:	a7eed18c21897e50bbe167b8f438b9af
VDF version:	6.35.01.212
IVDF version:	6.35.01.216 - Tuesday, September 12, 2006

General Methods of propagation:
   • Email
   • Local network

Aliases:
   • Symantec: W32.Womble.A@mm
   • Mcafee: W32/Womble@MM
   • Kaspersky: Email-Worm.Win32.Womble.d
   • F-Secure: Email-Worm.Win32.Womble.d

Platforms / OS:
   • Windows 98
   • Windows 98 SE
   • Windows NT
   • Windows ME
   • Windows 2000
   • Windows XP
   • Windows 2003

Side effects:
   • Downloads malicious files
   • Uses its own Email engine
   • Registry modification

Files It copies itself to the following location:
   • %SYSDIR%\%random words%.exe

It creates the following directories:
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\dvd_info
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\free
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\h_core
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\l_this
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\lunch
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\my_staff
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_mp3
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_video
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\photo
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\sh_docs
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\take_it
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\video
   • %HOME%\Local Settings\Application Data\Microsoft\WinTools\xxx

It drops copies of itself using a filename from lists
– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\dvd_info Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\free Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\h_core Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\l_this Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\lunch Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\my_staff Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_mp3 Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\new_video Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\photo Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\sh_docs Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\take_it Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\video Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: %HOME%\Local Settings\Application Data\Microsoft\WinTools\xxx Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

– To: c:\system32\ Using one of the following names:
   • winupdate.exe
   • netupdate.exe
   • winlog.exe
   • winlogin.exe

– To: %network shares% Using one of the following names:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

   • .doc
   • .jpg
   • .txt

   • .exe
   • .pif

It tries to download some files:

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

– The location is the following:
   • support.365soft.info/current/**********
This file may contain further download locations and might serve as source for new threats.

Registry The following registry key is added in order to run the process after reboot:

– [HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
   • windows_startup=%SYSDIR%\%random words%.exe

The following registry keys are added:

– [HKLM\SOFTWARE\WinUpdate]
   • "Version"=dword:00000004

– [HKLM\SOFTWARE\WinUpload]
   • "bot1.exe"=dword:00000002
   • "bot2.exe"=dword:00000002
   • "l.exe"=dword:00000002
   • "t169.exe"=dword:00000002

– [HKCU\Software\Microsoft\WAB\WAB4]
   • "FirstRun"=dword:00000001

– [HKCU\Software\Microsoft\Windows\CurrentVersion]
   • "wmf.1.1"=dword:01c6db12
   • "wmf.1.2"=dword:e8fc9740

The following registry keys are changed:

– [HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon]
   Old value:
   • "Shell"="Explorer.exe"
   • "Userinit"="%SYSDIR%\userinit.exe"
   New value:
   • "Shell"="Explorer.exe%empty spaces% %SYSDIR%\%random words%.exe"
   • "Userinit"="%SYSDIR%\userinit.exe%empty spaces% ,%SYSDIR%\%random words%.exe"

Email It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:

From:
The sender address is the user's Outlook account.

To:
– Email addresses found in specific files on the system.
– Email addresses gathered from WAB (Windows Address Book)

Subject:
One of the following:
   • !!; Action Bush; FIFA; Helo; Hi; important; Incredible!!; info; Kiss;
      Laura; Laura and John; Lola; Look at this!!!; Miss Khan; Nataly; Ola;
      Olympus; Paula; pic; pics; private; private pics; Re:; Re: hi;
      Re:info; RE: pic; read this; Robert; Sex

Body:
The body of the email is the following:

   • Hi !!!

     %random character string%

     %random character string%
     --

     Best Regards

Attachment:
The filenames of the attachments is constructed out of the following:

– It starts with one of the following:
   • bush
   • Me
   • My passwords
   • MyWife
   • Seduction secrets
   • MySexMovie
   • MySexPicture
   • WallPaper
   • anna
   • Windows serial number
   • GoogleHack
   • OurNewCar
   • OurNewHouse

Continued by one of the following:
   • .jpg
   • .doc
   • .txt

    Sometimes continued by one of the following:
   • .pif
   • .exe
   • .zip
   • .pif.zip
   • .exe.zip

The attachment is a copy of the malware itself.

The email may look like one of the following:

Network Infection In order to ensure its propagation the malware attemps to connect to other machines as described below.

Exploit:
It makes use of the following Exploits:
– MS04-011 (LSASS Vulnerability)
– MS05-039 (Vulnerability in Plug and Play)

Backdoor Contact server:
All of the following:
   • support.365soft.info/current/**********
   • support.365soft.info/current/**********
   • support.software602.com/current/**********
   • support.software602.com/current/**********
   • anyproxy.net/current/**********
   • anyproxy.net/current/**********
   • support.enviroweb.org/current/**********
   • support.enviroweb.org/current/**********
   • support.nikontech.com/current/**********
   • support.nikontech.com/current/**********
   • mymail.100hotmail.com/current/**********
   • mymail.100hotmail.com/current/**********
   • server1.mymail.ph/current/**********
   • server1.mymail.ph/current/**********
   • mymail.bokee.com/current/**********
   • mymail.bokee.com/current/**********
   • mail.96520.org/current/**********
   • mail.96520.org/current/**********
   • 211.184.55.7/current/**********
   • 211.184.55.7/current/**********
   • update.snowsoft.co.kr/current/**********
   • update.snowsoft.co.kr/current/**********
   • update.wwwmail.org/current/**********
   • update.wwwmail.org/current/**********
   • update.mediaroz.com/current/**********
   • update.mediaroz.com/current/**********
   • update.co.tv/current/**********
   • update.co.tv/current/**********
   • www.3btasarim.com/current/**********
   • www.3btasarim.com/current/**********
   • baishui.info/current/**********
   • baishui.info/current/**********
   • jiji.2tw.info/current/**********
   • jiji.2tw.info/current/**********

As a result it may send some information. This is done via the HTTP GET request on a PHP script.

Sends information about:
    • Current malware status

Stealing It tries to steal the following information:
– Email account information obtained from the registry key: HKCU\Software\Microsoft\Internet Account Manager\Accounts

Miscellaneous Internet connection:
In order to check for its internet connection the following DNS servers are contacted:
   • *.GTLD-SERVERS.net
   • *.lan.tjhsst.edu

Checks for an internet connection by contacting the following web site:
   • www.sun.com/index.html

Mutex:
It creates the following Mutex:
   • wmf.mtx.4

File details Programming language:
The malware program was written in MS Visual C++.

Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.

Description inserted by Adriana Popa on Friday, September 15, 2006
Description updated by Adriana Popa on Monday, September 18, 2006

Back . . . .

Need to fix your PC?

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools

Call Us

+1 800-403-7019

Drop us a line

We'll get back to you lickety-split.

Nice to hear from you!

Thank you for contacting Avira.

Featured products

More products

Most popular

All products

Home Products

Business Products

Virus Lab

More Support

Become an Avira Partner

Home Products

Business Products

Just want to evaluate a product?

Manuals and Tools