Win32/Mywife.E@mm spreads as an attachment to mails or over network shares. It can create numerous copies of itself with names such as "WinZip,zip<multiple spaces>.scr" and "Photos,zip<multiple spaces>.exe". The worm disguises the copies in two ways to make it appear that they are not executable files. First, the icon for the file resembles the WinZip icon. Second, the file can have a double extension. The first extension may indicate a multimedia file, such as .mp3 or .wav. The second extension indicates an executable file, but there may be so many spaces between the two extensions that the second extension is not readily visible in a file list. The mail body mentions pictures from the Kama Sutra.
The worm adds data to the registry so that the worm runs each time Windows starts. This is done by adding the value "ScanRegistry scanregw.exe /scan" under the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The worm continually refreshes the registry with this data in case the data is changed.
The worm modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. It deletes product keys from the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
The list of product keys is:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe (it is in the list twice)
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
The worm deletes a large number of security and file-sharing related files:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton Antivirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
%ProgramFiles%\Morpheus\*.dll
The worm reads folder locations and delete files with the following registry values / file patterns:
HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion\Home Directory - (*.exe)
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV - (*.exe)
HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\Folder - (*.exe, *.*)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe\Path - (*.ppl, *.exe)
HKEY_LOCAL_MACHINE\Sofware\KasperskyLab\Components\101\Folder - (*.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum\InstallLocation - (*.exe)
Win32/Mywife.E can spread by copying itself to writeable network shares. It also spreads by sending a copy or archive of itself as an attachment to e-mail addresses found on the infected computer. The attachments are encoded using MIME, UUENCODE or BASE64 encoding, and have names such as Attachments00.HQX, Video_part.mim, SeX.mim, OriginalMessage.B64, etc. The encoded files within these attachments have names such as SeX,zip<spaces>.scR, Atta[001],zip]<spaces>.SCR, New Video,zip<spaces>.sCr, etc.
The worm closes any active window (in the foreground) whose title contains any of the following strings (case insensitive):
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
On the third day of every month the worm resets the content of files with specific extension. It searches for files on the hard disk with the following extensions and replaces their contents with "DATA Error [47 0F 94 93 F4 K5]":
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp
The first time the worm will corrupt the content of those files is on February 3rd, 2006.
The worm locates computers on the network using the network API calls WNetOpenEnum and WNetEnumResource.
It attempts to connect to each machine that it finds as the user "Administrator" with the password "" (blank). It does this via command line, executing the command 'Net Use \\<machinename> /User:Administrator ""'
It then uses the administrative C$ share to check for the existence of the following folders on the machine, and attempts to delete any files within those folders. Note that this will succeed if either the machine has a blank administrator password, or if the user’s current credentials grant them access to the remote machine:
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
the worm copies itself to the following locations on the remote machine:
\Admin$\WINZIP-TMP.exe (this is an administrative share of the Windows folder)
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\Winzip Quick Pick.exe
The worm uses the 'at' command to schedule execution of both \admin$\WINZIP_TMP.exe and \c$\WINZIP_TMP.exe on the remote machine at <currenthour>:59 (i.e. if it is currently 3:30am, the worm will execute at 3:59am).