From; Sophos Alert System: Name: W32/Wurmark-F Aliases: WORM_MUGLY.H, W32/Mugly.h@MM, Email-Worm.Win32.Wurmark.g Type: Win32 worm Date: 6 April 2005 A virus identity (IDE) file which provides protection is available now from the Sophos website, and will be incorporated into the May 2005 (3.93) release of Sophos Anti-Virus. Customers using EM Library, PureMessage or any of our Sophos small business solutions will be automatically protected at their next scheduled update. At the time of writing, Sophos has received a small number of reports of this worm from the wild. Note: The IDE issued for W32/Wurmark-F at 04:44 GMT on 28 Jan 2005 also contained detection for Troj/Ranck-CD, W32/Rbot-US, W32/Cisum-A, W32/Sdbot-UD, Troj/Dloader-KL, W32/Sdbot-UE, W32/WarPigs-C, W32/Domwis-F and Troj/Iefeat-W. This IDE has now been updated to enhance detection of Troj/Dloader-KL. Information about W32/Wurmark-F can be found at: http://www.sophos.com/virusinfo/analyses/w32wurmarkf.html W32/Wurmark-F is a mass mailing worm which sends itself as a zip attachment to email addresses found on the infected computer. When run the worm displays the image uglym.jpg as it installs itself on the computer. The image displayed by the Wurmark-F worm. W32/Wurmark-F drops several files to the Windows system folder. W32/Wurmark-F will drop attached.zip, which is a zip file containing W32/Wurmark-F, and xxz.tmp, which is a copy of the worm. W32/Wurmark-F will also drop the following clean files: ANSMTP.DLL bszip.dll uglym.jpg W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms filename svchosts.exe. W32/Wurmark-F harvests email addresses from files with the extensions: WAB ADB TBB DBX ASP PHP HTM HTML SHT TXT DOC The worm will skip email addresses containing the following strings: .gov ada avg gri icro lavat mcae nod panda rsky soph sophos symac The zip file containing W32/Wurmark-F called attached.zip is attached to emails sent by the worm appearing to originate from the listed addresses below and taking the following forms: adead_poet@xxxxxxxxxxx alex_edwards2000@xxxxxxx romeorichard@xxxxxxxxxx apiffany@xxxxxxxx sexy_lil_thing@xxxxxxxxx cutie_pie@xxxxxxxxxx easy_lay666@xxxxxxxxxxx hunk_hogan78@xxxxxxxxxxxx britany_slut56@xxxxxxx tit_fuck_909@xxxxxxxxx good_fuck12@xxxxxxxxx blowjob_lips666@xxxxxxxxxxx tit_fuck_909@xxxxxxxxxxx sexy_guy88@xxxxxxx mucle_bound_hunk892@xxxxxxxxxxxx Subject: Hhahahah lol!!!! Body: i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha... Subject: Your Pic On A Website!! Body: I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! Subject: Rate My Pic....... Body: Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :P Subject: You have an Admirer Body: Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person. Regards Hallmark Admirer Mail Admin. The file within the attachment can have one of the following names: Pic_001.jpg.scr Sexy_09.jpg.scr Scan_04.jpg.scr Photo_01.jpg.scr admire_001.jpg.scr is_this_you.jpg.scr love_04.jpg.scr for_you.pif This IDE file also includes detection for: Troj/Ranck-CD http://www.sophos.com/virusinfo/analyses/trojranckcd.html W32/Rbot-US http://www.sophos.com/virusinfo/analyses/w32rbotus.html W32/Cisum-A http://www.sophos.com/virusinfo/analyses/w32cisuma.html W32/Sdbot-UD http://www.sophos.com/virusinfo/analyses/w32sdbotud.html Troj/Dloader-KL http://www.sophos.com/virusinfo/analyses/trojdloaderkl.html W32/Sdbot-UE http://www.sophos.com/virusinfo/analyses/w32sdbotue.html W32/WarPigs-C http://www.sophos.com/virusinfo/analyses/w32warpigsc.html W32/Domwis-F http://www.sophos.com/virusinfo/analyses/w32domwisf.html Troj/Iefeat-W http://www.sophos.com/virusinfo/analyses/trojiefeatw.html Download the IDE file from: http://www.sophos.com/downloads/ide/wurmarkf.ide Download all the IDE files available for the current version of Sophos Anti-Virus in a single compressed file. The file is available in two formats: Zip file: http://www.sophos.com/downloads/ide/ides.zip Self-extracting file: http://www.sophos.com/downloads/ide/ides.exe Read about how to use IDE files at http://www.sophos.com/downloads/ide/using.html *********** MIKE"S REPLY SEPARATOR *********** Mike ~ It is a good day if I learned something new. Editor MikesWhatsNews see a sample on my web page http://www3.telus.net/mikebike <mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe> http://www3.telus.net/mikebike/worm_removal.htm See my Anti-Virus pages http://virusinfo.hackfix.org/index <virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe> A Technical Support Alliance and OWTA Charter Member