Click Here to Install Silverlight*
United StatesChange|All Microsoft Sites
Microsoft
Security 

Malicious Software Encyclopedia: Win32/Wukill

Published: April 20, 2007

Win32/Wukill is a family of mass-mailing e-mail and network worms. The Win32/Wukill worm spreads to root directories on certain local and mapped drives. The worm also spreads by sending a copy of itself as an attachment to e-mail addresses found on the infected computer. 

**

Related Links

Removal Tools - Microsoft

Glossary Terms

Click the term to get the definition from our Security Glossary.

Trojan horse

virus

worm

**
On This Page
Threat OverviewThreat Overview
Aliases (Also Known As)Aliases (Also Known As)
Technical AnalysisTechnical Analysis
How to Prevent InfectionHow to Prevent Infection
How to Tell If Your Computer Is InfectedHow to Tell If Your Computer Is Infected
How to Recover from InfectionHow to Recover from Infection
Transmission MethodsTransmission Methods
Payload InformationPayload Information

Threat Overview

Class/typeWorm - Mass Mailer
Worm - Network
DiscoveredSeptember 22, 2005
CirculatingYes
Affected operating systemsWindows NT 4.0
Windows 95
Windows 2000
Windows XP
Windows Server 2003
Windows ME
Windows 98
Affected software Not specified
Infection ratingLow
Recovery difficultyModerate
Damage ratingMedium
Transmission ratingLow

Aliases (Also Known As)

Different antivirus vendors may be using different names to refer to this malicious software. Here are some of the names currently in use by antivirus software vendors participating in the Microsoft Virus Information Alliance (VIA):

  • McAfee: W32/Wukill.worm
  • Symantec: W32.Wullik@mm

    • Learn more about the Microsoft Virus Information Alliance.

    Technical Analysis

    Win32/Wukill creates a copy of itself in the Windows directory and in the root directory of local drives. It also copies itself to root directories where the user browses, including the root on mapped network drives. The worm also spreads by using Outlook to send a copy of itself as an attachment to e-mail addresses found in the Outlook address book.
     
    The worm uses several methods to hide. When a user browses to a folder that contains the worm, the worm can move to another folder to avoid detection. In addition, the worm configures Windows Explorer to hide file extensions and hidden files, and the worm file icon may resemble a Windows folder icon. The deceptive icon and hidden file extension may make it appear safe to open the item; however, doing so runs the worm. 
     
    The worm drops a configuration file and script file with attributes hidden and system. Browsing to a folder that contains these files and the worm can cause the worm to run when Windows starts. The worm also modifies a registry key for this purpose.
     
    The worm requires the Visual Basic 6.0 runtime file msvbvm60.dll to infect the computer.

    How to Prevent Infection

    Take the following steps to help prevent infection on your system:
    • Enable a firewall on your computer.
    • Get the latest computer updates.
    • Use up-to-date antivirus software.
    • Use caution with attachments and file transfers.

    Enable a firewall on your computer

    Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
    To turn on the Internet Connection Firewall in Windows XP
    1. Click Start, and click Control Panel.
    2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
    3. Click Change Windows Firewall Settings.
    4. Select On.
    5. Click OK.

    Get the latest computer updates

    Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
    To turn on Automatic Updates in Windows XP
    1. Click Start, and click Control Panel
    2. Click System.
    3. Click Automatic Updates.
    4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

    Use up-to-date antivirus software

    Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx

    Use caution with attachments and file transfers

    Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

    How to Tell If Your Computer Is Infected

    Symptoms of infection by Win32/Wukill may include:
    • A message box that appears with the title "Warning" and the text "This File Has Been Damage!"
    • The Windows clipboard unexpectedly contains only the text "Hello!"
    • Presence of any of the following files:
      • %windir%\mstray.exe or %windir%\MsDoStray.com
      • <drive>\comment.htt or <drive>\folder.htt
      • <drive>\desktop.ini
      • <mapped or hard drive>\winfile.exe or <mapped or hard drive>\SexyGirl.exe
    • Presence of on of the following registry values: 'RavTime', 'RavTimeXP', or 'RavRUN2003'
      in subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    How to Recover from Infection

    Automatic Recovery
    To attempt to automatically remove this threat, run one of the following removal tools:

    Transmission Methods

    MethodDescription
    Network SharesSpreads to the root directory of local drives and to root directories where the user browses, including mapped network drives.
    Mass MailerSends a copy of itself as an attachment to e-mail addresses found in the Outlook address book.

    Payload Information

    Payload typeTriggerDescription
    Display something
    Execution
    May display a message box with the title "Warning" and the text "This File Has Been Damage!"

    © 2009 Microsoft Corporation. All rights reserved. Contact Us |Terms of Use |Trademarks |Privacy Statement