Email-Worm.Win32.Womble.a, W32/Womble-B, W32/Womble.A, W32/[email protected]
, [email protected]
Win32/Womble.B, Win32:Wapplex, Worm.Mail.Agent.ag, Worm/Generic.WD, Worm/Womble
Category: Computer Worm
Active & Spreading
Asia, North and South America, and some parts of Europe and Australia
28 Aug 2006
The [email protected]
program is a mass mailing worm, which collects e-mail addresses on your compromised computer and duplicates its copies by exploiting the Microsoft Windows Graphics Rendering Engine WMF (SetAbortProc) Code Execution vulnerability that is described in Microsoft Security Bulletin MS06-001. This affects windows operating system such as Windows 95, Windows 2000, Windows Me, Windows 98, Windows Server 2003, Windows NT, and Windows XP.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once the worm is executed on your system, it copies itself as %System%\[ORIGINAL FILE NAME]. It as well creates current user’s profile. The worm is also claimed to add the values to the registry sub keys in order for the worm to run automatically every time Windows starts. This worm gathers e-mail addresses from your Windows Address Book and from any other files on your compromised computer. Then it sends a duplicate of its code to IP addresses it collects. The e-mail includes a subject such as action, beauty, FIFA, bush, etc. and comes with an attached file entitled new_picture.jpg.passw.zip, firefox_update.pif.zip and about_windows.wmf.passw.zip. These attachments exploit your Microsoft Windows Graphics Rendering Engine WMF (SetAbortProc) Code Execution vulnerability to drop and run the worm.
The computer infected by the [email protected]
program can be used to attack other machines or servers. External devices such as webcams may be used to monitor the user’s actions in real time. Unauthorized remote users may install potentially harmful programs into the computer. Some may track the user’s browser activities. Others can acquire the usernames and passwords of several accounts. Anti-virus and security-related programs may also be disabled in order to prevent removal of the malware program.