Win32/Womble [Threat Name] go to Threat

Win32/Womble.A [Threat Variant Name]

Category worm
Detection created Aug 30, 2006
Detection database version 1731
Short description

Win32/Womble.A is a worm that spreads via e-mail.

Installation

When executed, the worm creates the following folder: %system%\%userprofile%\Local Settings\Application Data\Microsoft\WinTools\ A subfolder in the following folder is created:

  • %system%\­%userprofile%\­Local Settings\­Application Data\­Microsoft\­WinTools\­

Its name is one of the following:

  • dvd
  • dvd_info
  • free
  • lunch
  • l_this
  • mp3
  • new_mp3
  • new_video
  • photo
  • sh_docs
  • take_it
  • video
  • xxx

2 files are dropped in the folder.


Some of the following strings may be used to form the filenames:

  • dvd
  • dvd_info
  • free
  • lunch
  • l_this
  • mp3
  • new_mp3
  • new_video
  • photo
  • sh_docs
  • take_it
  • video
  • xxx

One of the files is a copy of the .


The filename has one of the following extensions:

  • .exe
  • .pif

The oher is a WMF file.


It serves as a dropper.


It exploits the MS06-001 vulnerability. Size of the file is 80 kB .


The filename has one of the following extensions:

  • .jpg
  • .wmf

In order to be executed on every system start, the worm sets the following Registry entries:

  • [HKEY_LOCAL_MACHINE\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­ms_net_update]
  • [HKEY_CURRENT_USER\­SOFTWARE\­Microsoft\­Windows\­CurrentVersion\­Run\­ms_net_update]

The entries contain path to the executable of the worm .

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with the following extension:

  • .wab

Subject of the message is one of the following:

  • Action
  • Beauty
  • Bush
  • FIFA
  • Helo
  • Hi
  • important
  • Incredible!!
  • info
  • Kiss
  • Laura
  • Laura and John
  • Lola
  • Look at this!!!
  • Miss Khan
  • Nataly
  • Ola
  • Olympus
  • Paula
  • pic
  • pics
  • private
  • private pics
  • read this
  • RE:
  • Re:
  • Re: hi
  • Re: info
  • RE: pic
  • Robert
  • Sex
  • !!

Body of the message is one of the following:

  • There is some info in the attached file !!!
  • Zip P A S S : %variable%

The attachment is a ZIP archive.


It may be password protected.


Its filename is combined from some of the following strings:

  • about_windows
  • antispam
  • congratulations
  • firefox_update
  • free_antivirus
  • free_anti_spyware
  • google_info
  • google_tool
  • ie_update
  • inet
  • jpg
  • mail_control
  • mails_list
  • ms_office_update
  • net_update
  • new_picture
  • new_win_patch
  • passw
  • picture
  • pif
  • remove_spyware
  • some_info
  • wmf
  • www
  • yahoo_info
  • yahoo_tool
  • your_friends

The archive contains either the executable or the WMF dropper.

Please enable Javascript to ensure correct displaying of this content and refresh this page.