My Bitdefender
  • 0 Shopping Cart

SHARE
THIS ON

Facebook Twitter Google Plus

Win32.Manymize.A@mm

LOW
LOW
73728 bytes, 515 bytes, 11373 bytes, 19461 bytes
(WORM_MANYMIZE.A)

Symptoms

  • The presence of an email message like the one in the technical description.
  • Removal instructions:

    1. If you don't have BitDefender installed click here to download an evaluation version;

    2. Make sure that you have the latest updates using BitDefender Live!;

    3. Perform a full scan of your system (selecting, from the Action tab, the option Prompt user for action). Choose to delete all the files infected with Win32.Manymize.A@mm.

    Analyzed By

    Sorin Victor Dudea BitDefender Virus Researcher

    Technical Description:

    This is an Internet worm that is spreading using two different exploits.
    The first is Iframe exploit and it allows the worm to be executed when the user previews the e-mail. The second one allows a script to be executed from a .wmv file (Windows Media File).

    It arrives in the following format:

    From:An e-mail address random generated from the following accounts names:
    Heygenius, hulee, imedusa, jauhui, huangsj, huangsu, ietachi, jingyam, j4504, uangm, ivanhuangm, huting, j420k, homelanie, jaga6182, jj0103, hu4461, hui0716, hwachang, jacky702, jc660212, hh456, hsingni, hfp8, hgk315, huck0083, happymm, huang_ken, hut6641, j3017, james813, jarenluo, jenny_tsai, herotom, hfp5, hpf5678, ioiop5022, jupiter1117, hks7982, hippo8047, hk1513, hsiung33, jade1002, hsintay, hsu31036, ienali, jean0628, jht66, hhjj00669, hq7699, hv116699, hy0527, hyy0831, i100043491, j80014, jack2202, jacky12j, jemily, hs6910, iqmore, jack6318, jackyy0607, h2h3, h90308, hata408, hd6525, heart1028, hope90, hui0330, ifififif, ino007, isamuoki88, j813, housepain, hsiaan, hsuan0811, imgproc, ivy0323, j122388084, jearsu, jeff2415, jenshyan9, jeslee, jhae9876, jhjhshoke, hch88888, hj002040, hkl750, ioiriui, iw5650, jaja77, japs412, iii5555, i8455, h123243574, hit206, jessie1985, howarda, isancp, h885talk, hanwuji, hapi169, hb0810, hdd0002, hhhh7111, j7558486, jackie59, jarehoard0339, jcsun1028, jk78963578, jmj12, jmsbtl, jn0481, jo1016, joe126857, joemm, johnnyy1, jojo987654, joko3, jon1210, jonse16
    And the domain:
    @patame.com.tw
    Subject:
    It is random generated from the following table:












    Hi DearHelloMy friend,How are you !!\"

    , See this, This is, Open the, Attached is my, Watch my

    funnyinterestingcuteamusingspecial

    video.movie.penguin.clip.tape.


    It takes an entry from every column and builds a sentence.
    Ex:
    [Hi] [, See this] [amusing] [movie]



    Attachments:
    Mi2.chm and
    Mi2.exe and
    Mi2.htm and
    Mi2.wmv

    When the user previews the e-mail the mi2.exe attachment will be executed and the worm it will start it's spreading routine.

    If the system is invulnerable to the Iframe exploit, the worm will spread if the user will open one of the attachments.

    Usually the user will open the mi2.wmv attachment. That file contains a URL to mi2.htm and when viewed under Media Player the html will be executed.
    The mi2.htm gives control to mi2.chm.
    Mi2.chm contains a script that will open mi2.exe.

    After mi2.exe is opened the spreading routine is executed and the worm collects all e-mail addresses from Outlook Express Address Book and send itself to those addresses in the same format it arrives.