RE: [IMail Forum] new virus "naked wife"

Tue, 06 Mar 2001 16:01:37 -0800 


 some additional information


 http:[EMAIL PROTECTED]


  Symantec AntiVirus Research Center (SARC)
 http://www.symantec.com/avcenter

 W32.Naked@mm
 Discovered on: March 6, 2001
 Last Updated on: March 6, 2001 at 12:15:01 PM PST

 W32.Naked@mm is a mass mailing worm that disguises itself as flash movie.
 The attachment will be named NakedWife.exe. This worm, after it has
 attempted to email everyone in the Microsoft Outlook addressbook, will
 attempt to delete several systemfiles. This will leave the system
unusable,
 requiring a re-install.

 NOTE: This worm was previously detected as W32.HLLW.JibJab@mm.


 Category: Trojan Horse, Worm

 Virus Definitions: March 6, 2001

 Payload Trigger: Everytime the worm is executed
 Payload:  Deletes files: Attempts to delete several files from the Windows
and  Windows\System folders

 Distribution:

 Subject of email: Fw: Naked Wife
 Name of attachment: NakedWife.exe
 Size of attachment: 73,728 bytes

 Technical description:

 When first executed, W32.Naked@mm shows a window that appears to be loading
a Flash movie. However, in the background, this worm attempts to send itself
to everyone in the Microsoft Outlook addressbook. The message this worm
sends out looks as following:

 Subject: Naked Wife

 Body: > My wife never look like that! ;-)
 Best Regards,
 [UserName]

 *[UserName] will be replaced with the username that is used when
registering Microsoft Outlook.

 After the worm has attempted to mass-mail itself, it will attempt to delete
files from the Windows and Windows\System folders. The worm will attempt to
delete all files in the Windows and Windows\System folders that have any
of  the following extensions:

 .ini
 .log
 .dll
 .exe
 .com
 .bmp

 If this payload is executed, the only way to get the system back to an
 operational state is to reinstall it.


 The corrupted variant of this worm will be detected as W32.Naked.dam. The
corrupted variant cannot
 cause any damage to the system. However, if found, it should be deleted.


 Removal instructions:

 Delete any file detected as W32.Naked@mm or W32.Naked.dam.

 If the worm has been executed, it is very likely that the system has to be
 reinstalled.



Please visit http://www.ipswitch.com/support/mailing-lists.html 
to be removed from this list.

An Archive of this list is available at:
http://www.mail-archive.com/imail_forum%40list.ipswitch.com/

Reply via email to