high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Protection available since | 9 May 2005 07:44:28 (GMT) |
| Detected by | All Sophos products |
Free virus scan
- Free virus, spyware, and adware scan
- Test your existing anti-virus protection
- Find threats your anti-virus missed
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
Windows NT/2000/XP/2003
In Windows NT/2000/XP/2003 you will also need to edit the following registry entry. The removal of this entry is optional in Windows 95/98/Me. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random filename without file extension>
<random filename>
and delete it if it exists.
Close the registry editor.
More Information
W32/Wurmark-J is a mass-mailing worm. The worm emails itself as a ZIP file.
W32/Wurmark-J harvests email addresses from files with the extensions WAB, ADB, TBB, DBX, ASP, PHP, HTM, HTML and SHT from the Microsoft Internet Account Manager.
W32/Wurmark-J copies itself to the Windows system folder as a random filename and creates the following registry so as to run itself on user logon:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
<random filename without file extension>
<random filename>
W32/Wurmark-J also drops 2 DLLs with random filenames into the Windows System folder. One of the DLL component file is part of an IESpy application while the second DLL component file is a logfile. Both these DLL files can be safely deleted.
Once installed, the worm copies itself to the %TEMP% folder using one of the following filenames:
screensaver .scr
song.wav .scr
music.mp3 .scr
video.avi .scr
photo.jpg .scr
girls.jpg .scr
pic.jpg .scr
message.txt .scr
image.jpg .scr
news.doc .scr
details.doc .scr
resume.doc .scr
love.jpg .scr
readme.txt .scr
This file is then subsequently zipped and moved to the Windows System folder as one of the following filenames:
screensaver.zip
song.zip
music.zip
video.zip
photo.zip
girls.zip
pic.zip
message.zip
image.zip
news.zip
details.zip
resume.zip
love.zip
readme.zip
The email messages that the worm generates have the following characteristics:
Sender's email domain chosen from:
admin
hostmaster
messagelab
symantec
localdomain
localhost
mcafee
postmaster
webmaster
spam
reports
noreply
recipients
abuse
microsoft
root
Subject line chosen from:
screensaver
song
music
video
photo
girls
pic
message
image
news
details
resume
love
readme
Attachment filenames (within the ZIP file) chosen from:
screensaver.zip
song.zip
music.zip
video.zip
photo.zip
girls.zip
pic.zip
message.zip
image.zip
news.zip
details.zip
resume.zip
love.zip
readme.zip
W32/Wurmark-J may also attempt to disable the Windows Firewall policy by setting the following registry entry:
HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfileEnableFirewall
dword:00000000
|
