Win32.Manymize.A@mm

( WORM_MANYMIZE.A )

SINTOMAS:

The presence of an email message like the one in the technical description.

DESCRIPCIÓN TÉCNICA:

This is an Internet worm that is spreading using two different exploits.
The first is Iframe exploit and it allows the worm to be executed when the user previews the e-mail. The second one allows a script to be executed from a .wmv file (Windows Media File).

It arrives in the following format:

From:An e-mail address random generated from the following accounts names:
Heygenius, hulee, imedusa, jauhui, huangsj, huangsu, ietachi, jingyam, j4504, uangm, ivanhuangm, huting, j420k, homelanie, jaga6182, jj0103, hu4461, hui0716, hwachang, jacky702, jc660212, hh456, hsingni, hfp8, hgk315, huck0083, happymm, huang_ken, hut6641, j3017, james813, jarenluo, jenny_tsai, herotom, hfp5, hpf5678, ioiop5022, jupiter1117, hks7982, hippo8047, hk1513, hsiung33, jade1002, hsintay, hsu31036, ienali, jean0628, jht66, hhjj00669, hq7699, hv116699, hy0527, hyy0831, i100043491, j80014, jack2202, jacky12j, jemily, hs6910, iqmore, jack6318, jackyy0607, h2h3, h90308, hata408, hd6525, heart1028, hope90, hui0330, ifififif, ino007, isamuoki88, j813, housepain, hsiaan, hsuan0811, imgproc, ivy0323, j122388084, jearsu, jeff2415, jenshyan9, jeslee, jhae9876, jhjhshoke, hch88888, hj002040, hkl750, ioiriui, iw5650, jaja77, japs412, iii5555, i8455, h123243574, hit206, jessie1985, howarda, isancp, h885talk, hanwuji, hapi169, hb0810, hdd0002, hhhh7111, j7558486, jackie59, jarehoard0339, jcsun1028, jk78963578, jmj12, jmsbtl, jn0481, jo1016, joe126857, joemm, johnnyy1, jojo987654, joko3, jon1210, jonse16
And the domain:
@patame.com.tw
Subject:
It is random generated from the following table:

Hi DearHelloMy friend,How are you !!\"

, See this, This is, Open the, Attached is my, Watch my

funnyinterestingcuteamusingspecial

video.movie.penguin.clip.tape.

It takes an entry from every column and builds a sentence.
Ex:
[Hi] [, See this] [amusing] [movie]



Attachments:
Mi2.chm and
Mi2.exe and
Mi2.htm and
Mi2.wmv

When the user previews the e-mail the mi2.exe attachment will be executed and the worm it will start it\'s spreading routine.

If the system is invulnerable to the Iframe exploit, the worm will spread if the user will open one of the attachments.

Usually the user will open the mi2.wmv attachment. That file contains a URL to mi2.htm and when viewed under Media Player the html will be executed.
The mi2.htm gives control to mi2.chm.
Mi2.chm contains a script that will open mi2.exe.

After mi2.exe is opened the spreading routine is executed and the worm collects all e-mail addresses from Outlook Express Address Book and send itself to those addresses in the same format it arrives.

INSTRUCCIONES DE LIMPIEZA:

1. If you don\'t have BitDefender installed click here to download an evaluation version;


2. Make sure that you have the latest updates using BitDefender Live!;


3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Manymize.A@mm.

ANALIZADO POR:

Sorin Victor Dudea
BitDefender Virus Researcher