Win32/Womble.A | ESET Threat Encyclopedia

Selected viruses, spyware, and other threats: sorted alphabetically

O
P
Q
R
S
T
U
V
W
X
Y
Z
Glossary

Installation

When executed, the worm copies itself in the %system% folder A subfolder in the following folder is created:

%userprofile%\Local Settings\Application Data\Microsoft\WinTools\

Its name is one of the following:

dvd
dvd_info
free
lunch
l_this
mp3
new_mp3
new_video
photo
sh_docs
take_it
video
xxx

Two files are dropped in the folder. Some of the following strings may be used to form the filenames:

dvd
dvd_info
free
lunch
l_this
mp3
new_mp3
new_video
photo
sh_docs
take_it
video
xxx

One of the files is a copy of the worm. The filename has one of the following extensions:

.exe
.pif

The oher is a WMF file. It serves as a dropper. It exploits the MS06-001 vulnerability. Size of the file is 80 kB. The filename has one of the following extensions:

.jpg
.wmf

In order to be executed on every system start, the worm sets the following Registry entries:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms_net_update
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ms_net_update

The entries contain path to worm executable.

Spreading via e-mail

E-mail addresses for further spreading are searched for in local files with the following extension:

.wab

Subject of the message is one of the following:

Action
Beauty
Bush
FIFA
Helo
Hi
important
Incredible!!
info
Kiss
Laura
Laura and John
Lola
Look at this!!!
Miss Khan
Nataly
Ola
Olympus
Paula
pic
pics
private
private pics
read this
RE:
Re:
Re: hi
Re: info
RE: pic
Robert
Sex
!!

Body of the message is one of the following:

There is some info in the attached file !!!
Zip P A S S : %variable%

The attachment is a ZIP archive. It may be password protected. Its filename is combined from some of the following strings:

about_windows
antispam
congratulations
firefox_update
free_antivirus
free_anti_spyware
google_info
google_tool
ie_update
inet
jpg
mail_control
mails_list
ms_office_update
net_update
new_picture
new_win_patch
passw
picture
pif
remove_spyware
some_info
wmf
www
yahoo_info
yahoo_tool
your_friends

The archive contains either the executable or the WMF dropper.