W32/Naked@MM

This page shows details and results of our analysis on the malware W32/Naked@MM

Overview

This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.


Minimum Engine

5600.1067

File Length

73,728

Description Added

2001-03-06

Description Modified

2002-02-21

Malware Proliferation

Characteristics

This worm masquerades as a Flash (shockwave application) movie. The program will display a logo from JibJab, however it is not a shockwave application at all and is not associated with JibJab in any way, other than as a design of social engineering.

When run, it sends itself to all recipients in the Outlook Address Book and attempts to deletes all .BMP, .COM, .DLL, .EXE, .INI, and .LOG files in the WINDOWS and WINDOWS\SYSTEM directories. This includes Windows NT, ME and other versions.

This program is written in Visual Basic and requires the Visual Basic 6 (or higher) runtime files. When run, it copies itself to a TEMP directory and displays a Window entitled "Flash", which reads "JibJab Loading". It proceeds by sending a separate email message, using Microsoft Outlook, to each recipient in the Outlook Address Book. The messages appear as follows:

Subject: Fw: Naked Wife
Body:
My wife never look like that! ;-)

Best Regards,
(sender's name)

Attached: NakedWife.exe

Choosing the HELP|ABOUT menu in the "Flash" window displays a message box entitled "Flash", which reads "You're are now F**KED! (C) 2001 by BGK (Bill Gates Killer)" (** replaces the actual text displayed)

Symptoms

- Absence of .BMP, .COM, .DLL, .EXE, .INI, and .LOG files in the WINDOWS and WINDOWS\SYSTEM directories for Win9x, NT, ME, 2000
- Inability to launch applications
- Email correspondence alerting you that they have received the attachment NakedWife.exe from you.
- Missing WIN.COM error message upon restarting Windows

Method of Infection

This worm arrives as the email attachment, NakedWife.exe . Executing this application infects your machine and causes the worm to mail itself to regular email correspondence.

Removal

All Users:
Use current engine and DAT files for detection and removal.

Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).

But in some particular cases, the following steps need to be taken.

Please go to the Microsoft Recovery Console and restore a clean MBR.

On Windows XP:

  • Insert the Windows XP CD into the CD-ROM drive and restart the computer.
  • When the "Welcome to Setup" screen appears, press R to start the Recovery Console.
  • Select the Windows installation that is compromised and provide the administrator password.
  • Issue 'fixmbr' command to restore the Master Boot Record
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.


On Windows Vista and 7:

  • Insert the Windows CD into the CD-ROM drive and restart the computer.
  • Click on "Repair Your Computer".
  • When the System Recovery Options dialog comes up, choose the Command Prompt.
  • Issue 'bootrec /fixmbr' command to restore the Master Boot Record.
  • Follow onscreen instructions.
  • Reset and remove the CD from CD-ROM drive.

Variants