CNET reviews By Robert Vamosi
Jan. 26, 2006.This mass-mailing e-mail worm uses an old trick--the lure of pornography--and may delete your critical Microsoft Office files.
QUICK FACTSName: MyWife (W32.MyWife@mm), aliases include CME-24 (US-CERT), Tearec (Panda), Nyxem (Sophos), Blackmal (Symantec, Computer Associates, Vet), and GREW (Trend).
What it does: Disables security apps and attempts to overwrite data files on your PC.
Means of transmission: E-mail and shared network files
How to recognize: E-mail suggesting a sexually oriented file attachment, and possibly the inability to run an antivirus scan.
Who is at risk:All Windows users.
How we rate A classic e-mail virus is on the loose and is posed to delete crucial files on the third day of each month.
MyWife (W32.MyWife@mm) (aliases include CME-24 (US-CERT), Tearec (Panda), Nyxem (Sophos), Blackmal (Symantec, Computer Associates, Vet), and GREW (Trend)) lures potential victims with a promise of sexual content. There are several variations of the worm available, most of which delete or disable security protection from Norton, McAfee, Trend Micro, and Kaspersky security products. Worse: on the third day of each month, MyWife overwrites data files with the following extensions: DOC, XLS, MDE, MDB, PPT, PPS, RAR, PDF, PSD, DMP, and ZIP. According to Sans.org, the files are overwritten with an error message "DATA Error [47 0F 94 93 F4 K5]." MyWife affect all versions of Windows; it does not affect users of Mac OS, Linux, or Unix. Because Mywife spreads via e-mail and could damage system files, this worm rates a 6 on the CNET/ZDNet Virus Meter.
How it works
MyWife arrives via e-mail with subject lines similar to the following list:
The Best Videoclip Ever
School girl fantasies gone bad
A Great Video
Fu**in Kama Sutra pics
Arab sex DSC-00465.jpg
give me a kiss
*Hot Movie*
Fw: Funny :)
Fwd: Photo
Fwd: image.jpg
Fw: Sexy
Re:
Fw:
Fw: Picturs
Fw: DSC-00465.jpg
Word file
eBook.pdf
the file
Part 1 of 6 Video clipe
You Must View This Videoclip!
Miss Lebanon 2006
Re: Sex Video
My photos
According to antivirus vendor McAfee, MyWife adds the following files to an infected system: %Windows%\rundll16.exe
%System%\scanregw.exe
%System%\Update.exe
%System%\Winzip.exe
c:\winzip_tmp.exe
%Temp% \word.zip
Nyxem also installs the following registry key:
[HKLM\Software\Microsoft\Windows\CurrentVersion\Run] "ScanRegistry" = "%System%\scanregw.exe /scan"
The worm will attempt to copy itself to the following shares, using the current user's authentication:
C$\documents and settings\all users\start menu\programs\startup\winzip quick pick.exe
Admin$\winzip_tmp.exe
C$\winzip_tmp.exe
Once executed, MyWife attempts to delete or disable active security protection from Norton, McAfee, Trend Micro, and Kaspersky security products.
Prevention
MyWife infections can be avoided if a personal firewall is enabled on a desktop PC, if attachments to e-mail files are not opened (or opened with caution), and if your antivirus subscription remains current.
Removal
A few antivirus software companies have updated their signature files to include this worm. This will stop the infection upon contact and in some cases will remove an active infection from your system. For more information, see Computer Associates, F-Secure, McAfee, Microsoft, Panda, Sophos, Symantec, and Trend Micro.
