[virusinfo] W32/Wurmark-F

• From: "Mike" <mikebike@xxxxxxxxx>
• To: virusinfo@xxxxxxxxxxxxx
• Date: Wed, 06 Apr 2005 11:15:01 -0700

From; Sophos Alert System:

Name: W32/Wurmark-F
Aliases: WORM_MUGLY.H, W32/Mugly.h@MM, Email-Worm.Win32.Wurmark.g
Type: Win32 worm
Date: 6 April 2005

A virus identity (IDE) file which provides protection is
available now from the Sophos website, and will be incorporated
into the May 2005 (3.93) release of Sophos Anti-Virus.

Customers using EM Library, PureMessage or any of our Sophos
small business solutions will be automatically protected at
their next scheduled update.

At the time of writing, Sophos has received a small number of
reports of this worm from the wild.


Note: The IDE issued for W32/Wurmark-F at 04:44 GMT on 28 Jan
2005 also contained detection for Troj/Ranck-CD, W32/Rbot-US,
W32/Cisum-A, W32/Sdbot-UD, Troj/Dloader-KL, W32/Sdbot-UE,
W32/WarPigs-C, W32/Domwis-F and Troj/Iefeat-W. This IDE has now
been updated to enhance detection of Troj/Dloader-KL.

Information about W32/Wurmark-F can be found at:
http://www.sophos.com/virusinfo/analyses/w32wurmarkf.html

W32/Wurmark-F is a mass mailing worm which sends itself as a zip attachment to 
email addresses found on the infected computer. 
When run the worm displays the image uglym.jpg as it installs itself on the 
computer. 
 
The image displayed by the Wurmark-F worm. 

W32/Wurmark-F drops several files to the Windows system folder. W32/Wurmark-F 
will drop attached.zip, which is a zip file containing W32/Wurmark-F, and 
xxz.tmp, which is a copy of the worm. W32/Wurmark-F will also drop the 
following clean files: 
ANSMTP.DLL
bszip.dll
uglym.jpg 
W32/Wurmark-F will drop a file belonging to the W32/Rbot family of worms 
filename svchosts.exe. 
W32/Wurmark-F harvests email addresses from files with the extensions: 
WAB
ADB
TBB
DBX
ASP
PHP
HTM
HTML
SHT
TXT
DOC 
The worm will skip email addresses containing the following strings: 
.gov
ada
avg
gri
icro
lavat
mcae
nod
panda
rsky
soph
sophos
symac 
The zip file containing W32/Wurmark-F called attached.zip is attached to emails 
sent by the worm appearing to originate from the listed addresses below and 
taking the following forms: 
adead_poet@xxxxxxxxxxx
alex_edwards2000@xxxxxxx
romeorichard@xxxxxxxxxx
apiffany@xxxxxxxx
sexy_lil_thing@xxxxxxxxx
cutie_pie@xxxxxxxxxx
easy_lay666@xxxxxxxxxxx
hunk_hogan78@xxxxxxxxxxxx
britany_slut56@xxxxxxx
tit_fuck_909@xxxxxxxxx
good_fuck12@xxxxxxxxx
blowjob_lips666@xxxxxxxxxxx
tit_fuck_909@xxxxxxxxxxx
sexy_guy88@xxxxxxx
mucle_bound_hunk892@xxxxxxxxxxxx 
Subject: Hhahahah lol!!!! 
Body: 
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha... 
Subject: Your Pic On A Website!! 
Body: 
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back! 
Subject: Rate My Pic....... 
Body: 
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when
it was taken :P 
Subject: You have an Admirer 
Body: 
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin. 
The file within the attachment can have one of the following
names: 
Pic_001.jpg.scr
Sexy_09.jpg.scr
Scan_04.jpg.scr
Photo_01.jpg.scr
admire_001.jpg.scr
is_this_you.jpg.scr
love_04.jpg.scr
for_you.pif 

This IDE file also includes detection for:

Troj/Ranck-CD
http://www.sophos.com/virusinfo/analyses/trojranckcd.html
W32/Rbot-US
http://www.sophos.com/virusinfo/analyses/w32rbotus.html
W32/Cisum-A
http://www.sophos.com/virusinfo/analyses/w32cisuma.html
W32/Sdbot-UD
http://www.sophos.com/virusinfo/analyses/w32sdbotud.html
Troj/Dloader-KL
http://www.sophos.com/virusinfo/analyses/trojdloaderkl.html
W32/Sdbot-UE
http://www.sophos.com/virusinfo/analyses/w32sdbotue.html
W32/WarPigs-C
http://www.sophos.com/virusinfo/analyses/w32warpigsc.html
W32/Domwis-F
http://www.sophos.com/virusinfo/analyses/w32domwisf.html
Troj/Iefeat-W
http://www.sophos.com/virusinfo/analyses/trojiefeatw.html

Download the IDE file from:
http://www.sophos.com/downloads/ide/wurmarkf.ide

Download all the IDE files available for the current version of 
Sophos Anti-Virus in a single compressed file. The file is
available in two formats:

Zip file:
http://www.sophos.com/downloads/ide/ides.zip

Self-extracting file:
http://www.sophos.com/downloads/ide/ides.exe

Read about how to use IDE files at
http://www.sophos.com/downloads/ide/using.html


*********** MIKE"S REPLY SEPARATOR  ***********
Mike ~ It is a good day if I learned something new.
Editor MikesWhatsNews see a sample on my web page
http://www3.telus.net/mikebike
<mikeswhatsnews-request@xxxxxxxxxxxxx?Subject=subscribe>
http://www3.telus.net/mikebike/worm_removal.htm
See my Anti-Virus pages  http://virusinfo.hackfix.org/index
<virusinfo-request@xxxxxxxxxxxxx?Subject=subscribe>
A Technical Support Alliance  and OWTA Charter Member 

Other related posts:

• » [virusinfo] W32/Wurmark-F
• » [virusinfo] W32/Wurmark-F
• » [virusinfo] W32/Wurmark-F

1. Home
2. virusinfo
3. Archive
4. 04-2005

---

• » Previous by Date
• » Next by Date
• » Related Posts
• » View list details
• » Manage your subscription

---