WORM_MUGLY.A - Description and solution

TrendLabs Malware Blog

Glossary

TrendWatch

TrendLabs Twitter

WORM_MUGLY.A

Overview

Solution

Technical Details

Malware type: Worm

Aliases: Email-Worm.Win32.Wurmark.a (Kaspersky), W32.Mugly.B@mm (Symantec), Worm/Wurmark.a.1 (Avira),

In the wild: Yes

Destructive: No

Language: English

Platform: Windows 95, 98, ME, NT, 2000, XP

Encrypted: No

Overall risk rating:

Reported infections:
Damage potential:		High
Distribution potential:		High

Description:

This worm arrives on a system as an attachment to an email message with the following characteristics:

From: <spoofed>

Subject: (any of the following)
� You have an Admirer
� Your Pic On A Website!!
� Rate My Pic.......
� Hhahahah lol!!!!

Message Body: (any of the following)
� Someone has asked us on there behalf to send you this email and tell you they think you are wonderfull!!! All the The mystery persons details you need are enclosed in the attachment :) please download and respond telling us if you would like to make further contact with this person.

Regards Hallmark Admirer Mail Admin.

� I was looking at a website and came across this pic they look just like you! infact im sure it is lol , did you send this pic into them ? or is it someonce else :S ? Ive Added the pic in a zip so download it and check & email me back! � Hi ive sent 5 emails now and nobody will rate my pic!! :( please download and tell me what you think out of 10 , dont worry if you dont like it just say i wont be offended p.s i was drunk when it was taken :P

� i found this on my computer from ages ago download it and see if you can remember it lol i was lauging like mad when i saw it! :D email me back haha...

Attachment: (any of the following)
� Pic_001.exe
� Photo_01.pif
� admire_001.exe
� is_this_you.scr
� love_04.scr
� for_you.pif
� Sexy_09.scr

It searches the affected system for target email addresses from files with certain extension names. However, it avoids sending email messages to addresses that contain specific strings, most of which are related to antivirus and security companies.

This worm also attempts to propagate across the network by exploiting the following known Windows vulnerabilities:

(MS03-026) RPC DCOM vulnerability
(MS04-011) Windows LSASS vulnerability

This worm may also try to propagate via the following accessible network shares:

Admin$
C$
IPC$

Apart from propagation, this worm also has backdoor capabilities. It connects to windowss.serveftp.com and opens random TCP ports to listen for commands from a remote attacker.

It drops several components, including a bot program detected as WORM_SDBOT.AFE. It also drops the following .JPG image, which it displays upon execution:

WORM_MUGLY.A displays this image upon execution

It runs on Windows 95, 98, ME, NT, 2000, and XP.

For additional information about this threat, see:
Solution
Technical Details

Description created: Dec. 1, 2004 4:00:03 AM GMT -0800

Search a new malware

Tell us how we did. Take our quick survey.