Discussion in 'malware problems & news' started by Randy_Bell, Dec 3, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    May 24, 2002
    Santa Clara, CA
    WORM_MUGLY.A is a non-destructive mass-mailing worm that arrives via email, as an attachment. This memory-resident worm searches the infected system for target email addresses in files with certain extension names. However, it avoids sending email messages to email addresses that contain specific strings, most of which are related to antivirus and security companies. It runs on Windows 95, 98, ME, NT, 2000, and XP.

    Upon execution, it drops a copy of itself in the Windows system folder as the file XXX.TMP. It also drops the following files in the Windows system folder:

    * ATTACHED.ZIP - a ZIP-compressed copy of itself
    * WINIT.EXE - a worm that is detected by Trend Micro as WORM_SDBOT.AFE
    * UGLYM.JPG - a normal .JPG file
    * SVKP.SYS - an unpacker component used to register the SVK Protector, which this worm uses to unpack one of its dropped files that is compressed by SVKP
    * ANSMTP.DLL - a standard SMTP (Simple Mail Transfer Protocol) mailing engine
    * BSZIP.DLL - a standard archive engine

    It creates three registry entries that allow it to automatically execute at every system startup. In addition, it registers a standard SMTP engine on the infected system, which allows it to perform its mass-mailing routine.

    This worm looks for target email recipients in files with the following extensions:

    * ADB
    * ASP
    * DBX
    * DOC
    * HTM
    * HTML
    * PHP
    * SHT
    * TBB
    * TXT
    * WAB

    However, it avoids sending email messages to addresses that contain any of the following strings:

    * .gov
    * Adaware
    * Kaspersky
    * Lavasoft
    * Mcafee
    * Symantec
    * avguk
    * grisoft
    * nod32
    * pandasoftware
    * sophos
    * trendmicro

    The email message that it sends out has the following details:

    From: <spoofed>
    Subject: (any of the following)

    * You have an Admirer
    * Your Pic On A Website!!
    * Rate My Pic.......
    * Hhahahah lol!!!!

    Message Body: (any of the following)

    * Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person.
    Regards Hallmark Admirer Mail Admin.
    * I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! · Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :p
    * i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha...

    Attachment: (any of the following)

    * Pic_001.exe
    * Photo_01.pif
    * admire_001.exe
    * is_this_you.scr
    * love_04.scr
    * for_you.pif
    * Sexy_09.scr

    This worms payload displays the dropped image file, UGLYM.JPG.

    If you would like to scan your computer for WORM_MUGLY.A or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com/

    WORM_MUGLY.A is detected and cleaned by Trend Micro pattern file 2.274.01 and above.
Thread Status:
Not open for further replies.