Win32/Wukill is a family of mass-mailing e-mail and network worms. The Win32/Wukill worm spreads to root directories on certain local and mapped drives. The worm also spreads by sending a copy of itself as an attachment to e-mail addresses found on the infected computer. 

Threat behavior

Win32/Wukill creates a copy of itself in the Windows directory and in the root directory of local drives. It also copies itself to root directories where the user browses, including the root on mapped network drives. The worm also spreads by using Outlook to send a copy of itself as an attachment to e-mail addresses found in the Outlook address book.
The worm uses several methods to hide. When a user browses to a folder that contains the worm, the worm can move to another folder to avoid detection. In addition, the worm configures Windows Explorer to hide file extensions and hidden files, and the worm file icon may resemble a Windows folder icon. The deceptive icon and hidden file extension may make it appear safe to open the item; however, doing so runs the worm. 
The worm drops a configuration file and script file with attributes hidden and system. Browsing to a folder that contains these files and the worm can cause the worm to run when Windows starts. The worm also modifies a registry key for this purpose.
The worm requires the Visual Basic 6.0 runtime file msvbvm60.dll to infect the computer.


Symptoms of infection by Win32/Wukill may include:
  • A message box that appears with the title "Warning" and the text "This File Has Been Damage!"
  • The Windows clipboard unexpectedly contains only the text "Hello!"
  • Presence of any of the following files:
    • %windir%\mstray.exe or %windir%\
    • <drive>\comment.htt or <drive>\folder.htt
    • <drive>\desktop.ini
    • <mapped or hard drive>\winfile.exe or <mapped or hard drive>\SexyGirl.exe
  • Presence of on of the following registry values: 'RavTime', 'RavTimeXP', or 'RavRUN2003'
    in subkey: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run


Take the following steps to help prevent infection on your system:
  • Enable a firewall on your computer.
  • Get the latest computer updates.
  • Use up-to-date antivirus software.
  • Use caution with attachments and file transfers.

Enable a firewall on your computer

Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
  1. Click Start, and click Control Panel.
  2. Click Network and Internet Connections. If you do not see Network and Internet Connections, click Switch to Category View.
  3. Click Change Windows Firewall Settings.
  4. Select On.
  5. Click OK.

Get the latest computer updates

Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
  1. Click Start, and click Control Panel
  2. Click System.
  3. Click Automatic Updates.
  4. Select a setting. Microsoft recommends selecting Automatic. If you do not choose Automatic, but you choose to be notified when updates are ready, a notification balloon appears when new downloads are available to install. Click the notification balloon to review and install the updates.

Use up-to-date antivirus software

Most antivirus software can detect and prevent infection by known malicious software. To help protect you from infection, you should always run antivirus software that is updated with the latest signature files. Antivirus software is available from several sources. For more information, see

Use caution with attachments and file transfers

Exercise caution with e-mail and attachments received from unknown sources, or received unexpectedly from known sources.  Use extreme caution when accepting file transfers from known or unknown sources.

Alert level: High
This entry was first published on: Sep 23, 2005
This entry was updated on: Apr 21, 2007

This threat is also detected as:
  • W32.Wullik@mm (Symantec)
  • W32/Wukill.worm (McAfee)