W32.Blackmal@mm

Printer Friendly Page

Discovered: March 23, 2004
Updated: March 25, 2004 5:17:08 PM
Systems Affected: Windows

W32.Blackmal@mm is a mass-mailing worm. The worm arrives as an attachment to an email. The worm will attempt to disable antivirus software, by deleting both their installations and their associated registry entries.

Discovered: March 23, 2004
Updated: March 25, 2004 5:17:08 PM
Systems Affected: Windows

W32.Blackmal@mm is a typical mass-mailing worm. The worm arrives attached to an email with the following properties:

Subject may be one of the following:
Alert
Fw: Virus Alert
FW: (-Sucking-)
FW: File - WebCam.mpeg
FW: **Hot Movie**
Re: Why? Form Back.mpg
FW:RE: Least *21* Years
Re: Double suck (movie)
FW:Re:Hot Erotic
very hot XXX
Video Clip
RE: FW: Women Mpeg
Asses Mpeg's
FW: Lesbian & gays Mpeg
Fw: My Funny Ass

The message body may consist of one of the following:
Dear User ,
This is A very High Resk Virus Alert.
This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too. This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :
1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).


Notes:

* Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
* Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.


Sincerely
Norton AntiVirus

Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!!

I'm attatching a Video Clip of my wife if interested in checking it out!

Watch the Paris Hilton Sex Tape for Free!

Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips

Here is another Vclip of my daily group :|

All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes

Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.

hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye

very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips

-==This server does not support Transfer Big Movies==- wo Hotttt gurls sucking a hansum cock Softly

u Love asses? Here is a great ass open wide waitin for ur lil Cock
movie attached open by media Player 7.1
when i saw my ass i slept 3 hours why?? check my ass sorry my movie
LOOOOOOOOL joke (^!^)

Check This ?ucking Babe ;D

The attachment may be named as follows:
Julia_1997_Fucking.MPEG_.scr
juanita_in_the_kitchen.MPEG.scr
17Ag_double_suck__part[2].MPEG_.scr
April_FromTexas.MPEG_.scr
Video_briefcase_Group[13].MPEG_.scr
After_2AM_small_room[4].MPEG__.scr
Graham_Hilton_Sex[4].MPEG__.scr
WebCam_12girls_Ass.mpeg_.scr
Shakira_Anal_very_old.MPEG.scr
why_fuck_anal_back.MPEG.scr
open_girl_21year.MPEG.scr
Ricky_Gay_ass.MPEG______________.scr
GrahamCluley_freakin_Ass_.MPEG__.scr
Sexual_Crimes.MPEG____.scr
Fix_BlackWorm.com

Or:

hard_babe
AprilGoostree
Video
JuliaRoberts
BigFuck
hotsucking
ParisHilton
Shakira
Vclip2
easyFuck_GIRL
RickyMartin
AssClip
SexCrimes
Scan

Combined with one of the following file extension suffix:
.zip
.exe
.tgz

When the attachment is executed it first creates the following folder, the attributes of this folder are set to hidden:
%Windir%\TEMPORY

Next the worm will copy itself as the following files:
%System%\(random_file_name1).exe
%Windir%\TEMPORY\(random_file_name1).exe
Where (random_file_name1) and (random_file_name1) are random strings and integers concatenated to name the file.

The worm will then drop the following file:
%Temp%\Media.Temp.Mpeg
It will attempt to Windows Media Player to play the file.

The worm will then drop and register two run time libraries:
OSSMTP.dll
oswinsck.dll
These libraries are not malicious.

To hook system startup the worm creates the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\(random_file_name1).exe %System%\(random_file_name1).exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\(default) %Windir%\TEMPORY\(random_file_name2).exe

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\(random_file_name1).exe %System%\(random_file_name1).exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\(default) %Windir%\TEMPORY\(random_file_name2).exe
Again where (random_file_name1) and (random_file_name1) are random strings and integers concatenated to name the file.

Next the worm will delete the following values, if present:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
PCClient.exe
PCCIOMON.exe
pccguide.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
Taskmon
KasperskyAv
system.
msgsvr32
Windows Services Host
Explorer
Sentry
ssate.exe
winupd.exe
au.exe

From the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm will then attempt to delete all of the files and executables in the following folders:
%Program Files%\Norton AntiVirus%Program Files%\McAfee\McAfee VirusScan\Vso%Program Files%\Trend Micro\PC-cillin 2002%Program Files%\Trend Micro\PC-cillin 2003%Program Files%\Trend Micro\Internet Security%Program Files%\Symantec\LiveUpdate
Next the email propagation routines for the worm will begin. The worm will begin to harvest email addresses from MSN Messenger and Yahoo Pager as well as from all files with the following extensions:
.htm
.dbx

Finally the worm will attempt to send an email to all of the harvested email addresses through the default SMTP server address that the compromised host is configured to use. If the worm cannot find this information, it will use one of the many SMTP server addresses that are hard-coded into the worm.