W32.Wonna@mm


Aliases: Email-Worm.Win32.Ainjo.c, I-Worm.Ainjo.c, W32/Mellon.worm, W32.Wonna@mm, Win32.HLLM.Generic.91
Variants: W32/Join-C, Win32/Mellon.B@mm, WORM_AINJO.C, W32/Ainjo.C , Win32:Ainjo-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 17 Oct 2002
Damage: Low

Characteristics: The W32.Wonna@mm program is a mass mailing worm. It sends a copy of it code to all contacts in your MS Outlook Address Book. The e-mail message has lots of different subject lines and several different attachment names. The worm as well spreads trough KaZaA file-sharing network program. It tries to trick the user into downloading and executing W32.Wonna@mm.

More details about W32.Wonna@mm

Once W32.Wonna@mm is executed on your system, it creates itself a copy to all contacts in your Address Book. The e-mail may include subjects such as “We need to talk...!”, “What's the problem?,” “How are you??”, “You need help?” , “What's happening???” etc. It also comes with an attachment wherein the worm is executed when these attached file is downloaded. The attached file may be names as funny, cool_file, nice_file, funny toy, nice song, ReadMe, Information and etc with file extensions such as .exe, .jpg, .com, .php, .htm, .mp3, .asp, .mpg, .txt, and .doc. Once downloaded on your system, the worm then copies its code as read-only or a hidden file named Cool_File.exe. Next, W32.Wonna@mm creates a file named Script.ini that sends Cool_File.exe making use of the mIRC program. Finally, it copies itself to other locations on your system as MSN Hack.exe, MSN Crack.exe, ICQ Password, HotMail SpiderMan-PC-Game-v2 FullDownloader.exe, ICQ Hack.exe, MSN Hack.exe and Windows (All Versions) KeyGen.exe

The worm as well contains a pay load that drops the W32.Badtrans.B@mm. It does this by creating either WinDLL.txt, WinEXE.txt, WinCOM.txt, WinSCR.txt and WinSYS.txt. The worm then uses those files to create another file like WinSCR.scr, WinEXE.scr, WinCOM.scr and WinSYS.scr. Before the worm runs the created .exe file, it shows message.