W32/Wurmark-D is a mass mailing worm which sends itself as a ZIP attachment to email addresses found on the infected computer.
When run the worm displays the image newyear.jpg as it installs itself on the computer.
|
| The image displayed by the Wurmark-D worm. |
W32/Wurmark-D may also attempt to terminate various anti-virus processes.
W32/Wurmark-D is a mass mailing worm which sends itself as a ZIP attachment to email addresses found on the infected computer.
When run the worm displays the image newyear.jpg as it installs itself on the computer.
|
|
| The image displayed by the Wurmark-D worm. |
W32/Wurmark-D will drop ANSMTP.DLL, attached.zip, bszip.dll, newyear.jpg and xxz.tmp into the Windows system folder and bt32.exe into the C:\ folder. The worm will then create the following registry entries so as to auto-start on user logon or computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vb6
BT32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
vb6
BT32.EXE
The worm also sets the additional registry entry:
HKCU\Software\Microsoft\OLE
vb6
BT32.EXE
W32/Wurmark-D harvests email addresses from files with the extensions: WAB, ADB, TBB, DBX, ASP, PHP, HTM, HTML, SHT, TXT and DOC
The ZIP file containing W32/Wurmark-D is called attached.zip
Emails sent by the worm appear to originate from the listed addresses below and take the following forms:
godfather@hotmail.com
alex@hotmail.com
George@gmail.com
marija@hotmail.com
mary13@gmail.com
cutie88@ogrish.com
BARBARA@hotmail.com
Jane78@hotmail.com
britany56@sex.com
michael77@gmail.com
admirer12@yahoo.com
funyblock@hotmail.com
tit_fuck_909@paltalk.com
barby56@aol.com
Jane44@download.com
Subject:
HAPPY NEW YEAR!!!
Message body:
All the best in new year from our family
here is a litle attachment to make you smile in new year
email me back haha...
Subject:
MARY CHRISTMAS from our family
Message body:
All the best in new year and christams from our family
i was lauging like mad when i saw it! :D
The file within the attachment can have one of the following names:
Sexy_new_year.scr
HOT_NEW_YEAR.scr
Marry_christmas.scr
with_love.scr
From_my_hart.scr
new_year.scr
Hot_new_year.scr
W32/Wurmark-D may also attempt to terminate various anti-virus processes.
ANSMTP.DLL, bszip.dll and newyear.jpg are non-malicious files and can be deleted. bt32.exe are detected by Sophos as W32/Rbot-TD. xxz.tmp is a copy of the worm and should be deleted.