W32/Womble-E

Please follow the instructions for disinfecting PE executables.

W32/Womble-E is a mass-mailing worm for the Windows platform.

W32/Womble-E spreads by sending emails with itself as an attachment.

The subject line may be any of the following:

Bush
FIFA
Helo
Incredible!!
Kiss
Laura and John
Lola
Look at this!!!
Miss Khan
Ola
Olympus
Olympus
Paula
pics
private pics
RE:
Re: hi
Re: info
RE: pic
read this
Sex

Emails have a message text chosen from the following:

Hi!!

<random string of letters>
<another random string of letters>

The attachments may have the following filenames:

me
Windows serial number
OurNewHouse
Seduction Secrets
my passwords
Wallpaper

with extensions chosen from

JPG
PIF
TXT
ZIP

When run, the worm copies itself to <System>\<Original Filename of worm>.exe

Emails with the first of these message texts have attached a ZIP file containing a copy of the worm. Emails with the second of these message texts have attached a password-protected ZIP file containing a WMF file detected as Exp/WMF-A. These files use an exploit to drop a copy of the worm.

W32/Womble-E attempts to disable firewall software.

When first run W32/Womble-E copies itself to <System>\<random>.exe.

The following registry entries are created to run <random>.exe on startup:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
windows_startup
<System>\<random>.exe

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
windows_startup
<System>\<random>.exe

The following registry entries are changed to run <random>.exe on startup:

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Shell
Explorer.exe

(the default value for this registry entry is "Explorer.exe" which causes the Microsoft file <Windows>\Explorer.exe to be run on startup).

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon
Userinit
<System>\userinit.exe

(the default value for this registry entry is "<Windows>\System32\userinit.exe,").