W32/Womble-E is a mass-mailing worm for the Windows platform.
W32/Womble-E spreads by sending emails with itself as an attachment.
The subject line may be any of the following:
Bush
FIFA
Helo
Incredible!!
Kiss
Laura and John
Lola
Look at this!!!
Miss Khan
Ola
Olympus
Olympus
Paula
pics
private pics
RE:
Re: hi
Re: info
RE: pic
read this
Sex
Emails have a message text chosen from the following:
Hi!!
<random string of letters>
<another random string of letters>
The attachments may have the following filenames:
me
Windows serial number
OurNewHouse
Seduction Secrets
my passwords
Wallpaper
with extensions chosen from
JPG
PIF
TXT
ZIP
When run, the worm copies itself to <System>\<Original Filename of worm>.exe
Emails with the first of these message texts have attached a ZIP file containing a copy of the worm. Emails with the second of these message texts have attached a password-protected ZIP file containing a WMF file detected as Exp/WMF-A. These files use an exploit to drop a copy of the worm.
W32/Womble-E attempts to disable firewall software.
When first run W32/Womble-E copies itself to <System>\<random>.exe.
The following registry entries are created to run <random>.exe on startup:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
windows_startup
<System>\<random>.exe
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows_startup
<System>\<random>.exe
The following registry entries are changed to run <random>.exe on startup:
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").