W32/Onamu-B

Discussion in 'malware problems & news' started by FanJ, Aug 5, 2002.

Thread Status:
Not open for further replies.
  1. FanJ

    FanJ Guest

    Name: W32/Onamu-B
    Aliases: WORM_MOE.B, I-Worm.Desos.b
    Type: Win32 worm
    Date: 5 August 2002


    Sophos has received several reports of this worm from the wild.

    Description
    W32/Onamu-B is a worm which spreads via SMTP. It arrives as an attachment to an email. The email appears to come from a fake name and email address selected from the following lists:

    Possible first names:
    Mario
    Nadia
    Gabriel
    Federico
    Andrea
    Laura
    Patricia
    Osvaldo
    Sofia
    Sandra
    Javier
    Cristina
    Pablo
    Cecilia
    Ariel
    Silvia
    Emilio
    Flavia
    Jorge

    Possible middle initials:
    E.
    M.
    O.
    R.
    T.
    A.
    H.
    P.
    L.

    Possible surnames:
    Macchi
    Rizzo
    Rodriguez
    Narvaez
    Mosquera
    Montagna
    Miranda
    Armitano
    Kohan
    Lewin
    Machado
    Miller
    Ibarra
    Gutierrez
    Castro
    Godoy
    Ferreira
    Ferrer
    Chiappe
    Chiesa

    Possible email addresses:
    aldu5n_02@yahoo.com
    mor8l_88@netscape.com
    lime@illusive.org
    lemax7@compuserve.com
    xnto_678@hotmail.com
    lecs2462@yahoo.com
    4588bell@netscape.com
    vvgro55@illusive.org
    4653_trey@compuserve.com
    wer937@hotmail.com

    The email will have a subject line, message text and attached file chosen from the following lists:

    Possible subject lines:
    Seduccion
    Humano
    Musica
    Mujer
    Hombre
    Confesion
    Infidelidad
    Belleza
    Relaciones casuales
    Tus deseos
    Mi secreto
    La clave
    Enojo
    Perdon
    Responde!
    Cita
    Papelon
    Renuncio
    Monstruo
    Joven

    Possible message texts:
    Cap.3 El arte de provocar.
    El Ser Humano que pudiste ser.
    Esta es la musica que te prometi.
    La mujer mas bella...
    Un hombre entero.
    Ya sabes que fui yo?.
    Las imagenes de tu infidelidad.
    No estas conforme con tu apariencia?
    Esta es la lista para esta semana.
    Si te conforman, puedo enviar mas.
    Recorda tu promesa!
    No la vuelvas a perder, no abuses.
    Cuando veas esto, se te pasa.
    Crei que ya lo habia enviado.
    Nunca respondiste. No seas cruel.
    Me gusto lo que enviaste. Si te gusta, arreglamos.
    Te dije que es demasiado gorda. Mira!
    No puedo mejorarlo, ya es perfecto.
    Ahora te creo. Pobre mujer!
    Disculpa, sos demasiado joven para mi.

    Possible attached files:
    s_CAP3.EXE
    HUMANO.EXE
    MUSIC.EXE
    MUJER.EXE
    HOMBRE.EXE
    CONFESION.EXE
    INFIEL.EXE
    BELLEZA.EXE
    LISTArc.EXE
    DESEOS.EXE
    SECRETO.EXE
    CLAVE.EXE
    YO.EXE
    FEOS.EXE
    PASION.EXE
    CITA2.EXE
    GORDA.EXE
    CUERPO.EXE
    MONSTRUO.EXE
    JOVEN.EXE

    The worm copies itself to the Windows folder with a filename consisting of 5 randomly chosen letter and an EXE extension and adds a registry entry to
    HKLM\Software\Microsoft\Windows\CurrentVersion\Run
    so that the worm is run when Windows starts.



    More information about W32/Onamu-B can be found at
    http://www.sophos.com/virusinfo/analyses/w32onamub.html
     
Thread Status:
Not open for further replies.