New Worms Stretching Across Web | eWeek

New Worms Stretching Across Web

Écrit par
Dennis Fisher
Dennis Fisher
Mar 25, 2004
3 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Two new low-threat worms are making the rounds on the Internet Thursday, continuing the plague of malware that began in January and has shown no signs whatsoever of abating.

Of the two worms, known as Mywife and Snapper, the former appears to be the more worrisome and have the greater potential for spreading widely, security services said. Mywife arrives in an e-mail with a spoofed sending address and any one of several vaguely pornographic subject lines, including, “very hot XXX” and “FW:RE: Hot Erotic.” The body of the e-mail also varies and some of the messages are quite graphic.

The e-mail contains two attachments, one of which is simply a graphic file that displays a fake Norton AntiVirus 2004 logo, supposedly certifying that the other attachment is virus-free. The second attached file is compressed and can have any one of several names, including: Aprilgoostree, Parishilton, Rickymartin or a handful of profanities. The compressed file contains a third file with either an .exe or .scr extension, according to an analysis of the worm done by Panda Software Inc.

A second version of the virus-infected e-mail carries a fake virus warning, purportedly from antivirus vendor Symantec Corp., informing recipients that their machine is infected by the fictitious BlackWorm virus. This version has an attachment named either Scan.tge or Scan.zip.

The Mywife code also contains a jab at Microsoft Corp., although it is never displayed on the users screen: “microsoft do u hear me? we gon kick u ass an *** u down u got my word **Black Worm**.”

Once resident on a computer, Mywife goes to work removing the Windows registry entries for a variety of antivirus and security applications.

The Snapper worm is quite different from Mywife, and in fact resembles the last few variants of the Bagle virus that showed up last week. Instead of relying on the user to open an infected attachment, Snapper sends blank e-mails with spoofed sending addresses that contain code that automatically executes once the message is opened or viewed in the preview pane in Outlook. The code causes the local host computer to connect to a remote Web server located at 198.170.245.129 and try to download a file called HTMLhelp.cgi.

/zimages/5/28571.gifClick hereto read more about the latest Bagle variants.

Like Bagle.Q and subsequent variants, Snapper exploits the object tag vulnerability in Internet Explorer to force the infected machine to download the file. That file then runs a piece of VB Script code that creates and executes a DLL in the Windows directory. The DLL, called IEload.dll, is 8,704 bytes in size.

Snapper then sends itself to all of the addresses in the users address book. However, the CGI file is not available on the remote Web server, making it unlikely that Snapper will spread very far, according to Network Associates Inc.s McAfee Security unit.

Network Associates, based in Santa Clara, Calif., listed both Snapper and Mywife as low threats.

/zimages/5/28571.gifCheck outeWEEK.coms Security Centerat http://security.eweek.com for security news, views and analysis. Be sure to add our eWEEK.com security news feed to your RSS newsreader or My Yahoo page:/zimages/5/19420.gifhttp://us.i1.yimg.com/us.yimg.com/i/us/my/addtomyyahoo2.gif

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.