Subscriptions | RSS Feeds | Discussions | Polls | Site Map




All Threats

Viruses

Hackers

Spam
Whole site    Viruses
  
Virus Encyclopedia
Riskware
Alerts
Analysis
News
Glossary
Weblog


Malware Environment
Malware Descriptions
Who Creates Malware
History of Malware
Malware Trends
If Your Computer Is Infected

 
Malware Description Search

 

  Home / Viruses / Virus Encyclopedia / Malware Descriptions / Network Worms / Email Worms

Email-Worm.Win32.Naked

Aliases
Email-Worm.Win32.Naked (Kaspersky Lab) is also known as: I-Worm.Naked (Kaspersky Lab), W32/Naked@MM (McAfee),   W32.Naked@mm (Symantec),   Win32.HLLW.Naked (Doctor Web),   W32/Naked (Sophos),   Win32/Naked.B@mm (RAV),   WORM_NAKED.A (Trend Micro),   W32/Naked (H+BEDV),   W32/Nakedwife.A@mm (FRISK),   Win32:Naked (ALWIL),   I-Worm/Naked.B@mm (Grisoft),   I-Worm.Naked.A (SOFTWIN),   Worm.Naked (ClamAV),   W32/Naked (Panda),   Win32/Naked (Eset)
Description added Mar 07 2001
Behavior Email Worm
Technical details

This is an Internet worm spreading via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. The worm itself is a Win32 application about 70K in length, written in VisualBasic.

When run (if a user clicks on an attached infected file), the worm sends its copies by e-mail, and performs the following destructive action: the worm deletes all .INI, .LOG, .DLL, .EXE, .COM, .BMP in Windows directory and .INI, .LOG, .DLL, .EXE, .BMP in Windows system directory.

The worm does not installs itself into the system and does not touch system registry (i.e. does not registers itself in there). This is "direct action" worm that performs its action only once being activated from infected message. The worm copies itself to Windows TEMP directory, but does not use that copy.

When run, the worm displays a fake window with a "Macromedia Flash Player" picture in it, and it displays a "Loading", "Loading...", "Loading..." message in an endless loop.

The menus in the window do not summon any action when they are selected, except the "Help" menu. Upon selecting it, the "About Macromedia Flash Player 5..." item appears, when that item is selected, the worm displays the message box:

Flash
You're are now FUCKED! (C) 2001 by BGK (Bill Gates Killer)
[ OK ]

The worm sends itself as an e-mail message with an attached EXE file that is the worm itself. The message consists of:

Attached file name: NakedWife.exe
The Subject: Fw: Naked Wife
Message body:
My wife never look like that! ;-)

Best Regards,
[CurrentUser]

where [CurrentUser] is the name of the sender.

Being activated by a user (by double clicking on an attached file), the worm opens MS Outlook, gains access to the Address Book, obtains all addresses from there and sends messages with its attached copy to all of them. The message subject, body and attached file name are the same as above.

 		 

Copyright © 1996 - 2010
Kaspersky Lab
Industry-leading Antivirus Software
All rights reserved
 

Email: webmaster@viruslist.com