This worm spreads via the Internet as an attachment to infected messages,
and also via network resources with weak password protection.
It sends itself to all email addresses harvested from the victim machine.
It also propagates by exploiting the following vulnerabilities:
Workstation Service Buffer Overrun (Microsoft Security Bulletin MS03-049)
DCOM RPC (Microsoft Security Bulletin MS03-026)
Microsoft SQL Server 2000 or MSDE 2000 audit (Microsoft Security Bulletin MS02-061)
Microsoft Windows LSASS (Microsoft Security Bulletin MS04-011).
The worm itself is a Windows PE EXE file, approximately 423KB in size, packed using MEW. The unpacked file is approximately 1159KB in size.
The worm contains a backdoor.
Installation
Once launched, the worm opens a window to display a file named uglym.jpg.
When installing itself to the system, the worm copies itself as xxz.tmp to the Windows system directory.
The worm creates the following files in the Windows system directory:
%System%\ ANSMTP.DLL
%System%\ bszip.dll
%System%\ SVKP.sys
%System%\ uglym.jpg
%System%\ attached.zip
%System%\ winit.exe
Wurmark.a then registers itself in the system registry:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]
[HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices]
[HKCU\Software\Microsoft\OLE]
"virtual" = "winit.exe"
This ensures a copy of the worm will be launched each time the infected machine is rebooted.
The worm also creates the following keys in the system registry:
[HKCR\ANSMTP.MassSender]
[HKCR\ANSMTP.MassSender.1]
[HKCR\ANSMTP.OBJ]
[HKCR\ANSMTP.OBJ.1]
[HKCR\CLSID\{253664FB-EDFC-4AC6-BD69-B322F466AEED}]
[HKCR\CLSID\{887A577B-406B-48FF-80CB-70752BFCD7B4}]
[HKCR\TypeLib\{DE6317F7-6EF0-45C2-88D1-8E09415817F1}]
[HKCR\Interface\{68B8DCDB-EFA4-420A-BB8A-71B9892A2063}]
[HKCR\Interface\{1E98666F-6260-42C9-B846-32B20FDEFE7B}]
[HKCR\Interface\{A5F6C90C-ABE4-4C57-A421-8C5A202AA9F8}]
[HKCR\Interface\{B13281CF-8778-4C98-AE23ABBA4637A33D}]
[HKLM\SYSTEM\CurrentControlSet\Services\SVKP]
[HKLM\SYSTEM\CurrentControlSet\Enum\Root\SVKP]
Propagation via email
The worm harvests email addresses from the Windows address books, and also searches for addresses in files with the following extensions:
adb
asp
dbx
doc
htm
html
php
sht
tbb
txt
wab
The worm does not send copies of itself to email addresses which contain the following text strings:
.gov
adaware
avguk
grisoft
kaspersky
lavasoft
mcafee
nod32
pandasoftware
sophos
symantec
trendmicro
The worm sends infected messages by establishing a direct connection to recipients' SMTP-servers.
Infected messages
Message subject (chosen at random from the list below):
Hhahahah lol!!!!
Your Pic On A Website!!
Rate My Pic.......
You have an Admirer
Message body (chosen at random from the list below):
i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha...
I was looking at a website and came across this pic they look just like you! infact im sure is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back!
Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say I wont be offended p.s i was drunk when it was taken :P
Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person. Regards Hallmark Admirer Mail Admin.
Attachment name (chosen at random from the list below):
attachment.zip
Pic_001.exe
Sexy_09.scr
Scan_04.scr
Photo_01.pif
admire_001.exe
is_this_you.scr
love_04.scr
for_you.pif
Propagation via local network
The worm copies itself to the following network resources:
ADMIN$
IPC$
C$
D$
Remote administration
The worm connects to the windows.serverftp.com server and opens a random TCP port on the victim machine in order to receive commands. The backdoor function means that a malicious remote attacker will have full access to the infected machine. In addition to this, the backdoor can be used to download files from the Internet and launch them.
Check out if we have free
removal tool for this virus
