WORM_BLUEWORM.F

Discussion in 'malware problems & news' started by Randy_Bell, Sep 11, 2004.

Thread Status:
Not open for further replies.
  1. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    WORM_BLUEWORM.F is a memory-resident worm that propagates via email. It deletes registry entries and files associated with antivirus programs, and also terminates certain processes associated with various antivirus applications. This worm is currently spreading in-the-wild and infecting systems running Windows 95, 98, ME, NT, 2000 and XP. Upon execution, it drops a copy of itself in the Windows system folder using 10 different file names. It then creates the folder, %Windows%\VOLUME, where it drops a copy of itself using the same file name as any file found in the Windows folder. This worm also drops another copy of itself as %Program Files%\Internet Explorer\Media Player.exe. Some of the dropped files are compressed using the WinZip application.

    In order to send email messages, this worm drops and registers the file OSSMTP.DLL in the Windows system folder. In the same folder, it also drops the following non-malicious files: about.txt, About_BlackWorm.C.txt, Music09.rm, Special.rm, Vide01.jpg

    This worm creates registry entries that allow it to execute at every Windows startup. In addition, it searches the local area network for shared network drives that are write-enabled and drops copies of itself in accessed shares using the file name GOOD MUSIC.SCR.

    This worm propagates by sending a copy of itself via email to all addresses listed in the MSN and Yahoo messenger applications. It also obtains target email addresses from files containing the following extension names: HTM, DBX

    The email message that it sends out has the following details:

    From:
    admin@newmovies.com
    fack_back06@mail.com
    gustes@msn.com
    hot_woman2362@freevideos.net
    King_sexy@hotmal.com
    linda200@gmail.com
    lost_love705@yahoo.com
    sandra@oxygen.com
    thomas_gay6@iopus.com
    user377@worldsex.com
    • Bad Love
    • Binnn MT
    • Genius
    • Lola Ashton
    • Ralph
    • Sara GL
    • spoofed_names
    • Sweet Women
    • The Moon
    • Thomas

    Subject/Message body: (any of the following)
    • For all Members repit the reactive one time.
    • Hello
    • Important
    • Please reactive now
    • Please reactive now.
    • Please Read
    • reactive now
    • Thank you
    • Thanks

    Attachment: (Refer to the Technical Details section of this virus description, posted on the Trend Micro Web site.)

    It then deletes registry entries and files associated with security and antivirus products from Hyper Technologies, Symantec, McAfee, and Trend Micro.

    If you would like to scan your computer for WORM_BLUEWORM.F or thousands of other worms, viruses, Trojans and malicious code, visit HouseCall, Trend Micro's free, online virus scanner at: http://housecall.trendmicro.com

    WORM_BLUEWORM.F is detected and cleaned by Trend Micro pattern file 2.171.05 and above.
     
  2. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Randy, when I check the Trend site and run the update of PCCillan, the latest version is 2.170, not 2.171.05. How did you find out about the newer version and how would I get it?

    Thanks

    Jim
     
  3. Randy_Bell

    Randy_Bell Registered Member

    Joined:
    May 24, 2002
    Posts:
    3,004
    Location:
    Santa Clara, CA
    Controlled Pattern Release is a manual d/l which is currently at 2.171.21 as I type this reply {it is continually changing by the hour}. You'll get a "disclaimer", just click "Accept" to d/l the pattern file. My posted info on the worm is from TrendMicro NewsLetter; I guess I got on their list when I ran HouseCall years ago and volunteered for the list. I do enjoy the weekly newsletter from Trend, btw. Take Care, Warmly, Ran
     
  4. jwcca

    jwcca Registered Member

    Joined:
    Dec 6, 2003
    Posts:
    716
    Location:
    Toronto
    Thanks Randy, I did look an saw 4.5MB and decided not to use this method, I'm on a 26.4kbs dial-up line (that's about a 23 minute download). But, now that I know, if there's a really hot baddy, I can get the most recent file.

    Jim
     
Thread Status:
Not open for further replies.