high
Summary
Summary
Action- More Information
| How it spreads |
|
|---|---|
| Affected operating systems | Windows |
| Characteristics |
|
| Included in our products from | February 2005 (3.90) |
| Protection available since | 11 January 2005 06:09:00 (GMT) |
| Detected by | All Sophos products |
Action
- Summary
- Action
- More Information
Please follow the instructions for removing worms.
You will also need to edit the following registry entries, if they are present. Please read the warning about editing the registry.
At the taskbar, click Start|Run. Type 'Regedit' and press Return. The registry editor opens.
Before you edit the registry, you should make a backup. On the 'Registry' menu, click 'Export Registry File'. In the 'Export range' panel, click 'All', then save your registry as Backup.
Locate the HKEY_LOCAL_MACHINE entries:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vb6
BT32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
vb6
BT32.EXE
and delete them if they exist.
Close the registry editor.
More Information
W32/Wurmark-D is a mass mailing worm which sends itself as a ZIP attachment to email addresses found on the infected computer.
When run the worm displays the image newyear.jpg as it installs itself on the computer.
 |
| The image displayed by the Wurmark-D worm. |
W32/Wurmark-D may also attempt to terminate various anti-virus processes. W32/Wurmark-D is a mass mailing worm which sends itself as a ZIP attachment to email addresses found on the infected computer.
When run the worm displays the image newyear.jpg as it installs itself on the computer.
|
| The image displayed by the Wurmark-D worm. |
W32/Wurmark-D will drop ANSMTP.DLL, attached.zip, bszip.dll, newyear.jpg and xxz.tmp into the Windows system folder and bt32.exe into the C:\ folder. The worm will then create the following registry entries so as to auto-start on user logon or computer reboot:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run
vb6
BT32.EXE
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
vb6
BT32.EXE
The worm also sets the additional registry entry:
HKCU\Software\Microsoft\OLE
vb6
BT32.EXE
W32/Wurmark-D harvests email addresses from files with the extensions: WAB, ADB, TBB, DBX, ASP, PHP, HTM, HTML, SHT, TXT and DOC
The ZIP file containing W32/Wurmark-D is called attached.zip
Emails sent by the worm appear to originate from the listed addresses below and take the following forms:
godfather@hotmail.com
alex@hotmail.com
George@gmail.com
marija@hotmail.com
mary13@gmail.com
cutie88@ogrish.com
BARBARA@hotmail.com
Jane78@hotmail.com
britany56@sex.com
michael77@gmail.com
admirer12@yahoo.com
funyblock@hotmail.com
tit_fuck_909@paltalk.com
barby56@aol.com
Jane44@download.com
Subject:
HAPPY NEW YEAR!!!
Message body:
All the best in new year from our family
here is a litle attachment to make you smile in new year
email me back haha...
Subject:
MARY CHRISTMAS from our family
Message body:
All the best in new year and christams from our family
i was lauging like mad when i saw it! :D
The file within the attachment can have one of the following names:
Sexy_new_year.scr
HOT_NEW_YEAR.scr
Marry_christmas.scr
with_love.scr
From_my_hart.scr
new_year.scr
Hot_new_year.scr
W32/Wurmark-D may also attempt to terminate various anti-virus processes.
ANSMTP.DLL, bszip.dll and newyear.jpg are non-malicious files and can be deleted. bt32.exe are detected by Sophos as W32/Rbot-TD. xxz.tmp is a copy of the worm and should be deleted.
|
