W32/Womble-E is a mass-mailing worm for the Windows platform.
W32/Womble-E spreads by sending emails with itself as an attachment.
The subject line may be any of the following:
Laura and John
Look at this!!!
Emails have a message text chosen from the following:
<random string of letters>
<another random string of letters>
The attachments may have the following filenames:
Windows serial number
with extensions chosen from
When run, the worm copies itself to <System>\<Original Filename of worm>.exe
Emails with the first of these message texts have attached a ZIP file containing a copy of the worm. Emails with the second of these message texts have attached a password-protected ZIP file containing a WMF file detected as Exp/WMF-A. These files use an exploit to drop a copy of the worm.
W32/Womble-E attempts to disable firewall software.
When first run W32/Womble-E copies itself to <System>\<random>.exe.
The following registry entries are created to run <random>.exe on startup:
The following registry entries are changed to run <random>.exe on startup:
(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).
(the default value for this registry entry is "<Windows>\System32\userinit.exe,").