Win32/Mywife.E@mm spreads as an attachment to mails or over network shares. It can create numerous copies of itself with names such as "WinZip,zip<multiple spaces>.scr" and "Photos,zip<multiple spaces>.exe". The worm disguises the copies in two ways to make it appear that they are not executable files. First, the icon for the file resembles the WinZip icon. Second, the file can have a double extension. The first extension may indicate a multimedia file, such as .mp3 or .wav. The second extension indicates an executable file, but there may be so many spaces between the two extensions that the second extension is not readily visible in a file list. The mail body mentions pictures from the Kama Sutra.
The worm adds data to the registry so that the worm runs each time Windows starts. This is done by adding the value "ScanRegistry scanregw.exe /scan" under the following key: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run.
The worm continually refreshes the registry with this data in case the data is changed.
The worm modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. It deletes product keys from the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
The list of product keys is:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
CleanUp
MPFExe
MSKAGENTEXE
MSKDetectorExe
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
Pop3trap.exe
PccPfw
PCCIOMON.exe (it is in the list twice)
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
rtvscn95
defwatch
vptray
ScanInicio
APVXDWIN
KAVPersonal50
kaspersky
TM Outbreak Agent
AVG7_Run
AVG_CC
Avgserv9.exe
AVGW
AVG7_CC
AVG7_EMC
Vet Alert
VetTray
OfficeScanNT Monitor
avast!
DownloadAccelerator
BearShare
The worm deletes a large number of security and file-sharing related files:
%ProgramFiles%\DAP\*.dll
%ProgramFiles%\BearShare\*.dll
%ProgramFiles%\Symantec\LiveUpdate\*.*
%ProgramFiles%\Symantec\Common Files\Symantec Shared\*.*
%ProgramFiles%\Norton Antivirus\*.exe
%ProgramFiles%\Alwil Software\Avast4\*.exe
%ProgramFiles%\McAfee.com\Agent\*.*
%ProgramFiles%\McAfee.com\shared\*.*
%ProgramFiles%\Trend Micro\PC-cillin 2002\*.exe
%ProgramFiles%\Trend Micro\PC-cillin 2003\*.exe
%ProgramFiles%\Trend Micro\Internet Security\*.exe
%ProgramFiles%\NavNT\*.exe
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.ppl
%ProgramFiles%\Kaspersky Lab\Kaspersky Anti-Virus Personal\*.exe
%ProgramFiles%\Grisoft\AVG7\*.dll
%ProgramFiles%\TREND MICRO\OfficeScan\*.dll
%ProgramFiles%\Trend Micro\OfficeScan Client\*.exe
%ProgramFiles%\LimeWire\LimeWire 4.2.6\LimeWire.jar
%ProgramFiles%\Morpheus\*.dll
The worm reads folder locations and delete files with the following registry values / file patterns:
HKEY_LOCAL_MACHINE\Software\INTEL\LANDesk\VirusProtect6\CurrentVersion\Home Directory - (*.exe)
HKEY_LOCAL_MACHINE\Software\Symantec\InstalledApps\NAV - (*.exe)
HKEY_LOCAL_MACHINE\Software\KasperskyLab\InstalledProducts\Kaspersky Anti-Virus Personal\Folder - (*.exe, *.*)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\App Paths\Iface.exe\Path - (*.ppl, *.exe)
HKEY_LOCAL_MACHINE\Sofware\KasperskyLab\Components\101\Folder - (*.exe)
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall\Panda Antivirus 6.0 Platinum\InstallLocation - (*.exe)
Win32/Mywife.E can spread by copying itself to writeable network shares. It also spreads by sending a copy or archive of itself as an attachment to e-mail addresses found on the infected computer. The attachments are encoded using MIME, UUENCODE or BASE64 encoding, and have names such as Attachments00.HQX, Video_part.mim, SeX.mim, OriginalMessage.B64, etc. The encoded files within these attachments have names such as SeX,zip<spaces>.scR, Atta[001],zip]<spaces>.SCR, New Video,zip<spaces>.sCr, etc.
The worm closes any active window (in the foreground) whose title contains any of the following strings (case insensitive):
SYMANTEC
SCAN
KASPERSKY
VIRUS
MCAFEE
TREND MICRO
NORTON
REMOVAL
FIX
On the third day of every month the worm resets the content of files with specific extension. It searches for files on the hard disk with the following extensions and replaces their contents with "DATA Error [47 0F 94 93 F4 K5]":
*.doc
*.xls
*.mdb
*.mde
*.ppt
*.pps
*.zip
*.rar
*.pdf
*.psd
*.dmp
The first time the worm will corrupt the content of those files is on February 3rd, 2006.
The worm locates computers on the network using the network API calls WNetOpenEnum and WNetEnumResource.
It attempts to connect to each machine that it finds as the user "Administrator" with the password "" (blank). It does this via command line, executing the command 'Net Use \\<machinename> /User:Administrator ""'
It then uses the administrative C$ share to check for the existence of the following folders on the machine, and attempts to delete any files within those folders. Note that this will succeed if either the machine has a blank administrator password, or if the user’s current credentials grant them access to the remote machine:
\C$\Program Files\Norton AntiVirus
\C$\Program Files\Common Files\symantec shared
\C$\Program Files\Symantec\LiveUpdate
\C$\Program Files\McAfee.com\VSO
\C$\Program Files\McAfee.com\Agent
\C$\Program Files\McAfee.com\shared
\C$\Program Files\Trend Micro\PC-cillin 2002
\C$\Program Files\Trend Micro\PC-cillin 2003
\C$\Program Files\Trend Micro\Internet Security
\C$\Program Files\NavNT
\C$\Program Files\Panda Software\Panda Antivirus Platinum
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal
\C$\Program Files\Kaspersky Lab\Kaspersky Anti-Virus Personal Pro
\C$\Program Files\Panda Software\Panda Antivirus 6.0
\C$\Program Files\CA\eTrust EZ Armor\eTrust EZ Antivirus
the worm copies itself to the following locations on the remote machine:
\Admin$\WINZIP-TMP.exe (this is an administrative share of the Windows folder)
\c$\WINZIP_TMP.exe
\c$\Documents and Settings\All Users\Start Menu\Programs\Startup\Winzip Quick Pick.exe
The worm uses the 'at' command to schedule execution of both \admin$\WINZIP_TMP.exe and \c$\WINZIP_TMP.exe on the remote machine at <currenthour>:59 (i.e. if it is currently 3:30am, the worm will execute at 3:59am).
Take the following steps to help prevent infection on your system:
Enable a firewall on your computer.
Get the latest computer updates.
Use up-to-date antivirus software.
Use caution with unknown attachments.
Use strong passwords.
Remove unneeded network shares.
Use a user account which is not included in the administrators group.
You can also use the Windows Safety Live Center to clean this threat: http://go.microsoft.com/fwlink/?LinkId=212742. Occasionally, the worm may close the windows that are launched by this site, if they are in the foreground. If that happens, try using this site again.
The February release of the Microsoft Windows Malicious Software Removal Tool will detect and clean this threat as well.
Enable a firewall on your computer
Use a third-party firewall product or turn on the Microsoft Windows XP Internet Connection Firewall.
To turn on the Internet Connection Firewall in Windows XP
Click Start, and click Control Panel.
Click Network and Internet Connections, and click Network Connections. If you do not see Network and Internet Connections, click Switch to Category View.
Highlight a connection that you want to help protect, and click Change settings of this connection.
Click Advanced, and select Protect my computer and network by limiting or preventing access to this computer from the Internet.
Click OK.
Get the latest computer updates
Updates help protect your computer from viruses, worms, and other threats as they are discovered. You can use the Automatic Updates feature in Microsoft Windows XP to automatically download future Microsoft security updates while your computer is on and connected to the Internet.
To turn on Automatic Updates in Windows XP
Click Start, and click Control Panel.
Click Performance and Maintenance. If you do not see Performance and Maintenance, click Switch to Category View.
Click System.
Click Automatic Updates, and select Keep my computer up to date.
Select a setting. Microsoft recommends selecting Automatically download the updates, and install them on the schedule that I specify and setting a regular update time.
If you choose to have Automatic Updates notify you in step 5, you will see a notification balloon when new downloads are available to install. Click the notification balloon to review and install updates.
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software on your computer that is updated with the latest signature files to automatically help protect you from infection. If you don't have antivirus software installed, you can get it from one of several companies. For more information, see http://www.microsoft.com/athome/security/downloads/default.mspx
Use caution with unknown attachments
Use caution before opening unknown e-mail or IM attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately, and run up-to-date antivirus software to check your computer for viruses.
Use strong passwords
A strong password has at least eight characters and includes a combination of letters, numbers, and symbols. It is easy for you to remember, but difficult for others to guess. Weak passwords include any words in the dictionary, names, dates, consecutive letters or numbers, common words with symbol substitutions (for example, p@ssw0rd), and so on.
Remove unneeded network shares
Malicious software can often spread over network shares. Remove unneeded network shares that are mapped to your computer.
To remove network shares in Windows XP
On the Start menu, click My Computer.
On the Tools menu, click Disconnect Network Drives…
In the Disconnect Network Drives dialog box, click the drives to disconnect and click OK.
Use a user account which is not included in the administrators group
If the logged on user is not part of the administrators group of the computer, the worm will not be able to copy files and registry entries as programmed. Therefore the computer will not get infected.
