W32.Blackmal.B@mm

Printer Friendly Page

Discovered: April 01, 2004
Updated: April 05, 2004 3:32:37 PM
Systems Affected: Windows

W32.Blackmal.B@mm is a mass-mailing worm. The worm arrives as an attachment to an email. The worm will attempt to disable antivirus software, by deleting both their installations and their associated registry entries.

Discovered: April 01, 2004
Updated: April 05, 2004 3:32:37 PM
Systems Affected: Windows

W32.Blackmal.B@mm is a typical mass-mailing worm. The worm arrives attached to an email with the following properties:

Subject may be one of the following:
Alert
Fwd: Important Alert
Fw: }>Fucking<{
File - movie SuCkingPuSSy.mpeg
Movie
Re: Why?! BackSex.mpeg
Fw:'''~~movie'''~~25
Re:(movie)
Fw: `·.¸MPEG`·.¸
XXX Funny movie
Videos Clips...SeXxXy
Re: Fw:Women Mpeg
Asses Mpeg's
Fw: Lesbian Mpeg
Fw: Funny Ass
Hot XXX Streaming Videos, FREE Clips

The message body may consist of one of the following:
Dear User,

This is A very High Resk Virus Alert

This email is sent to you because one or some of your friends has been infected
with The W32.BlackWorm.A@mm Virus.
And you could be infected too.This Virus has the ability to damage the hard disk.
This Virus infects computers using many new ways :

1- it arrives as an email attachment inside of jpg pictures.
2- it infects the ip address without the victim's knowledge.
3- it infects Microsoft Word Documents using a new exploit in hex (00fxf0xf10x).



--------------------------------------------------------------------------------
Notes:

Symantec Consumer products that support Worm Blocking functionality automatically detect this threat as it attempts to spread.
Symantec Security Response has attached a removal tool to clean and prevent the infections of W32.BlackWorm.A@mm.
--------------------------------------------------------------------------------


Sincerely
Norton AntiVirus


Babe sucking black Dog MPEG funny movie

hey guys my name is April Goostree i am a sexy 22 yr old bbw , 5'9, 48 dd , big ole booty, jus lovin life, until i get my pics posted in here you can either check out my profile or join my own yahoo group Texas-Sexy@groups.msn.com, either way works for me..i hope to become very active in this group, i like to get to know people, like to get on cam once in a while, jus to chill, when they aint none home..thats why its once in a while yaknow..anyways jus holla at me... n thanks for lettin me join!!! kisses kandee..Bye

Dozens of Free Video Clips to download.Many Niches. Updated regularly and more added daily.Taken From Vivi's Lovely Briefcase.

very good movie >>> Video's Media Player. SEX SEX * Sluts Tits Video Mpeg's Mpeg Video Clips

Cum and check this fun group out...Sexy ladies!! Come post your ad,..this is a real swingers group!! I'm attatching a Video Clip of my wife if interested in checking it out!

-==This server Cannot support Transfer Big Movies==-

Video's Girls Erotic WebCam's Tits Mpeg's Girls Ass SEX Pussy Video Clips

Here is another Vclip of my daily group :|

All kinda Women Can be Found Here To Satisfy Women Lovers' Eyes

u Love asses? Here is a great ass open wide waitin for ur lil Cock Bye

movie attached open by media Player 7.1

when i saw my ass i slept 3 hours why?? check my ass sorry my movie LOOOOOOOOL joke (^!^)

Check This ?ucking Babe ;D ?ucking = Sucking=Fucking

The worm's attachment is one of the randomly named files it creates. If the message body is the fake virus warning text, only one of the first two possible subjects is used and the attachment name will be Fix_BlackWorm.com, Scan.zip, or Scan.tgz.

When the attachment is executed it first creates the following folder, the attributes of this folder are set to hidden:
%Windir%\TEMPORY

Next the worm will copy itself as the following files:
%System%\<random_file_name1>.exe
%Windir%\TEMPORY\<random_file_name2>.exe
%Windir%\<random_file_name3>.exe

It then creates several files in the Windows System directory to be used as its email attachments. These files may use one of the following names:
WebCam.MPEG
suck[7].MPEG
April.MPEG
Video2.MPEG
Julia.MPEG
juanita.MPEG
Fucking.MPEG
Sex[4].MPEG
Frinds.MPEG
Ricky.MPEG
Cluley.MPEG
Sexual.MPEG

with one of the following extensions:
_________________________________________________________.exe
_________________________________________________________.scr

or one of the following names:
BlackDog
April
Video
JuliaRoberts
BigFuck
sucking
Hilton
shkira1990
Vclip2
FuckGIRL
RickyMartin
AssClip
Sex

with one of the following extensions:
.zip
.tgz
.taz
.z
.tz
.gz

The worm will then drop the following file:
%Temp%\Media.Temp.Mpeg
It will attempt to Windows Media Player to play the file.

The worm will then drop and register two run time libraries:
OSSMTP.dll
oswinsck.dll
These libraries are not malicious.

To hook system startup the worm creates the following registry entries:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<random_file_name1>.exe = %System%\<random_file_name1>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\<random_file_name1>.exe = %System%\<random_file_name1>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<random_file_name1>.exe = %System%\<random_file_name1>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\<random_file_name1>.exe = %System%\<random_file_name1>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\(default) = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\(default) = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(default) = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\(default) = %Windir%\TEMPORARY \<random_file_name2>.exe

or

HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\(default) = %System%\<random_file_name1>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\(default) = %System%\<random_file_name1>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\(default) = %System%\<random_file_name1>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\(default) = %System%\<random_file_name1>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run\<random_file_name2>.exe = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices\<random_file_name2>.exe = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\<random_file_name2>.exe = %Windir%\TEMPORARY \<random_file_name2>.exe
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices\<random_file_name2>.exe = %Windir%\TEMPORARY \<random_file_name2>.exe

Next the worm will delete the following values, if present:
NPROTECT
ccApp
ScriptBlocking
MCUpdateExe
VirusScan Online
MCAgentExe
VSOCheckTask
McRegWiz
McVsRte
PCClient.exe
PCCIOMON.exe
pccguide.exe
PccPfw
tmproxy
McAfeeVirusScanService
NAV Agent
PCCClient.exe
SSDPSRV
Taskmon
KasperskyAv
system.
msgsvr32
Windows Services Host
Explorer
Sentry
ssate.exe
winupd.exe
au.exe
gigabit.exe
Norton Antivirus AV
SysMonXP
sysinfo.exe
Microsoft System Checkup
ICM version
Microsoft IE Execute shell
Winsock2 driver

From the following registry keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\RunServices
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServices

The worm will then attempt to delete all of the files and executables in the following folders:
%Program Files%\Norton AntiVirus\
%Program Files%\McAfee\McAfee VirusScan\Vso\
%Program Files%\Trend Micro\PC-cillin 2002\
%Program Files%\Trend Micro\PC-cillin 2003\
%Program Files%\Trend Micro\Internet Security\
%Program Files%\Symantec\LiveUpdate
This variant of the worm also attempts to perform a denial of service attack against the website www.nymex.com.

The worm also attempts to copy itself to any open network shares it finds.

Next the email propagation routines for the worm will begin. The worm will begin to harvest email addresses from MSN Messenger and Yahoo Pager as well as from all files with the following extensions:
.htm
.dbx

Finally the worm will attempt to send an email to all of the harvested email addresses through the default SMTP server address that the compromised host is configured to use. If the worm cannot find this information, it will use one of the many SMTP server addresses that are hard-coded into the worm.