Type
: Worm
Category
: Win32
Also known as:
Win32.Mugly.A, WORM_MUGLY.A (Trend), Win32/Mugly.A!Worm, W32/Mugly.a@MM (McAfee), W32.Mugly.A@mm (Symantec), Win32.Mugly.B, Win32/Mugly.B.Worm, W32/Mugly.b@MM (McAfee), W32.Mugly.B@mm (Symantec), Win32.Mugly.C, WORM_MUGLY.C (Trend), Win32/Mugly.C.Worm, W32/Mugly.c@MM (McAfee), W32.Mugly.C@mm (Symantec), Win32.Mugly.D, Win32/Mugly.D.327168!Worm, W32.Mugly.D@mm (Symantec), Win32/Mugly.E!Worm, W32/Mugly.e@MM (McAfee) , Win32.Mugly.F, W32/Mugly.f@MM (McAfee), W32.Mugly.F@mm (Symantec), Win32.Mugly.G, Win32.Mugly.G!ZIP, W32.Mugly.G@mm (Symantec), Win32.Mugly.H, WORM_MUGLY.H (Trend), Win32/Mugly.H!Worm, Win32.Mugly.H!ZIP, W32/Mugly.h@MM (McAfee), WORM_MUGLY.I (Trend), W32/Mugly.i@MM (McAfee), Win32.Mugly.L, Win32/Mugly.M!Worm, W32/Mugly.m@MM (McAfee), W32.Picrate.C@mm (Symantec), Email-Worm.Win32.Wurmark.a (Kaspersky), Email-Worm.Win32.Wurmark.b (Kaspersky), Email-Worm.Win32.Wurmark.d (Kaspersky), Email-Worm.Win32.Wurmark.e (Kaspersky), Email-Worm.Win32.Wurmark.g (Kaspersky), Email-Worm.Win32.Wurmark.l (Kaspersky), WORM_WURMARK.D (Trend), WORM_WURMARK.E (Trend), W32/Wurmark-A (Sophos), W32/Wurmark-C (Sophos), W32/Wurmark-D (Sophos), W32/Wurmark-E (Sophos), W32/Wurmark-F (Sophos)
Immediate Protection Info
Description
Win32/Mugly is a family of worms that spread via e-mail. Members of this family may also carry a variant of the
Win32.Rbot family of worms. The worm may be distributed inside a ZIP archive called
"attached.zip". Most variants use an icon that is image related (that is, either an image or an image associated icon).
Back to top
Method of Infection
When Mugly is run, it may create several files in the %System% directory:
- xxz.tmp, xtc.tmp or zzx.tmp- a copy of the worm (size varies)
- ANSMTP.DLL - a clean SMTP library (size: 385,024 bytes)
- bszip.dll - a clean ZIP library (size: 62,464 bytes)
- uglym.jpg - a clean JPEG image (size: 11,228 bytes)
or
newyear.jpg - a clean JPEG image (size: 40,064 bytes) (this file is used by the .D variant only)
- attached.zip or download.zip - a ZIP archive containing a copy of the worm
- svkp.sys
This file may be created in either the %Windows% or %System% directories:
Note: '%System%' and '%Windows%' are variable locations. The malware determines the location of these folders by querying the operating system. The default installation location for the System directory for Windows 2000 and NT is C:\Winnt\System32; for 95,98 and ME is C:\Windows\System; and for XP is C:\Windows\System32.The default installation location for the Windows directory for Windows 2000 and NT is C:\Winnt; for 95,98 and ME is C:\Windows; and for XP is C:\Windows.
Mugly does not install itself in such a way that it will be executed automatically when Windows restarts, however variants that drop bt32.exe or bx.exe will execute the Rbot variant, which will install itself onto the system.
The worm also displays a JPEG image that is variant dependent. Please see below for examples of these images that have been used by several variants as reported to Computer Associates from the wild; "uglym.jpg", "newyear.jpg" or LOL-AlbinoGorrilla.jpg:
Note: Only Mugly.D is known to drop newyear.jpg.
Later Mugly variants may also create a number of empty executable files in the %System% directory. Mugly.J creates the following files:
cmd.com
netstat.com
ping.com
regedit.com
taskkill.com
tasklist.com
taskmgr.exe
tracert.com
The function of creating these files is to stop the user from running the application that they intended. For example, if a user attempted to use regedit by referencing it as 'regedit', because of the order in which Windows executes files, regedit.com would execute in stead of regedit.exe. This circumstance can be avoided by running the application by referencing it by its full path name.
Back to top
Method of Distribution
Via E-mail
Mugly distributes itself by creating e-mail messages with the worm executable attached. There are several different messages created by the worm according to variant:
- Subject:
Hhahahah lol!!!!
Body:
i found this on my computer from ages ago
download it and see if you can remember it
lol i was lauging like mad when i saw it! :D
email me back haha...
- Subject:
Rate My Pic.......
Body:
Hi ive sent 5 emails now and nobody will rate
my pic!! :( please download and tell me what you
think out of 10 , dont worry if you dont like it
just say i wont be offended p.s i was drunk when it was taken :P
- Subject:
You have an Admirer
Body:
Someone has asked us on there behalf to send
you this email and tell you they think you are
wonderfull!!! All the The mystery persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer Mail Admin.
- Subject:
Your Pic On A Website!!
Body:
I was looking at a website and came across
this pic they look just like you! infact im sure
it is lol , did you send this pic into them ? or
is it someonce else :S ? Ive Added the pic in
a zip so download it and check & email me back!
- Subject:
HAPPY NEW YEAR!!!
Body:
All the best in new year from our family
here is a litle attachment to make you smile in new year
i was lauging like mad when i saw it! :D
email me back haha...
- Subject:
MARY CHRISTMAS from our family
Body:
All the best in new year and christams from our family.
- Subject:
Hehehe LOL!!
Body:
I just saw this on my computer from a while ago
download it and see if you can remember ;)
lol i was lauging like crazy when i saw! :D
email me back hehe...
- Subject:
Your Photo Is On A Webpage!!
Body:
I was veiwing this website and came across
a picture they look just like you! infact im sure
it is haha , did you email this pic into them ? or
is it someonce elses that looks like you :S ? pic is attached
in zip file so download it and see then email me back!
- Subject:
Hey Rate My Pic Plz...
Body:
Hi ive sent out 4 emails now & nobody will rate
my photo! :( please download and tell me your opinion
rated out of 10 , its ok if you dont like it
just say i wont be offended p.s i was drunk when
it was taken haha :)
- Subject:
Someone Admire's You!
Body:
Someone has asked us on there behalf to send
you this email and tell you they think you are
Amazing!! All the The secret persons details
you need are enclosed in the attachment :)
please download and respond telling us if you
would like to make further contact with this
person.
Regards Hallmark Admirer's Admin.
- Subject:
Hey Hows It Goin ?
Body:
my name is turd i am 16 and poop on
trees after long walks in the park then i jump off
high buildings hahahahha rolf email me im lazy
and smell of manure
The .L variant also uses e-mail messages in several different languages:
- Subject:
Attachment Returned
Body:
This file was rejected by the recipient
- Subject:
Zubehör Ging
Body:
Diese Akte wurde von der Empfänger zurückgewiesen
- Subject:
L'Attachement Est retourné
Body:
Ce dossier a été rejeté par le destinataire
- Subject:
Il Collegamento Ha rinviato
Body:
Questa lima è stata rifiutata dal destinatario
- Subject:
O Acessório Retornou
Body:
Esta lima foi rejeitada pelo receptor
- Subject:
El Accesorio Volvió
Body:
Este archivo fue rechazado por el recipiente
- Subject:
Het aanhechtsel Keerde Terug
Body:
Dit bestand werd door de ontvanger afgekeurd
- Subject:
You suck!
Body:
I have enclosed why you suck and your not going to like it :@
- Subject:
Sie saugen!
Body:
Ich habe umgeben, warum Sie saugen und Ihr Gehen nicht zu wie ihm :@
- Subject:
Vous sucez!
Body:
J'ai enfermé pourquoi vous sucez et votre ne pas aller à comme lui :@
- Subject:
Succhiate!
Body:
Ho accluso perchè succhiate e vostro non andare come ad esso :@
- Subject:
Você suga!
Body:
Eu incluí porque você suga e seu não lhe ir como :@
- Subject:
Usted aspira!
Body:
He incluido porqué usted aspira y el su no ir como a él :@
- Subject:
U zuigt!
Body:
Ik heb waarom u zuigt bijgevoegd en uw gaand alsof het niet :@
- Subject:
My new details
Body:
Hi ive changed email address if you would like to
keep in contact i have enclosed my new details
- Subject:
Meine neuen Details
Body:
Hallo änderte ive email address, wenn Sie zu möchten
Unterhalt im Kontakt habe ich meine neuen Details umgeben
- Subject:
Mes nouveaux détails
Body:
Bonjour l'ive a changé le email address si vous voudriez à
subsistance en contact j'ai joint mes nouveaux détails
- Subject:
I miei nuovi particolari
Body:
Hi il ive ha cambiato il email address se gradiste a
conservazione in contatto ho accluso i miei nuovi particolari
- Subject:
Meus detalhes novos
Body:
Hi o ive mudou o email address se você gostasse a
sustento no contato eu incluí meus detalhes novos
- Subject:
Mis nuevos detalles
Body:
Hi el ive cambió email address si usted quisiera a
mantener contacto he incluido mis nuevos detalles
- Subject:
Mijn nieuwe details
Body:
Hi veranderde ive e-mail aanspreekt of u van naar zou houden
Hou in contact ik heb bijgevoegd mijn nieuwe details bij
- Subject:
Party Invite!!
Body:
You have been invited to my party
please download the details and tell me if you
will be able to make it , Thanks!
- Subject:
Beteiligtes Laden!!
Body:
Sie sind zu meinem Beteiligten eingeladen worden
ddownloaden Sie bitte die Details und erklären Sie mir
wenn Sie in der LageSIND, es zu bilden, Dank!
- Subject:
La Partie Invitent!!
Body:
Vous avez été invités à ma partie téléchargez
svp les détails et me dites si vous pourrez la
faire, merci!
- Subject:
Il Partito Invita!!
Body:
Siete stati invitati al mio partito prego
trasferite i particolari dal sistema centrale
verso i satelliti e mi dite se potrete farlo, ringraziamenti!
- Subject:
O Partido Convida!!
Body:
Você foi convidado a meu partido download por
favor os detalhes e diz-me se você pudesse o
fazer, agradecimentos!
- Subject:
El Partido Invita!!
Body:
Le han invitado a mi partido descarga por favor
los detalles y me dice si usted puede hacerlo,
gracias!
- Subject:
De partij Uitnodig!!
Body:
U bent naar mijn partij alstublieft download de details
uitgenodigd worden en vertel mij indien u hem zult kunnen
maken, Bedankt!
In each case the attachment is a ZIP archive called attached.zip, download.zip or one of the following filenames but with a .ZIP extension. The name of the worm executable inside the ZIP archive may be one of the following:
From_my_hart.scr
HOT_NEW_YEAR.scr
Hapy-new-year.scr
Hot_new_year.scr
Marry_christmas.scr
Mary-Christmas.scr
Photo_01.jpg.scr
Photo_01.pif
Pic_001.exe
Pic_001.jpg.scr
Scan_04.jpg.scr
Scan_04.scr
Sexy_09.scr
Sexy_new_year.scr
admire_001.exe
admire_001.jpg.scr
for_you.jpg.scr
for_you.pif
is_this_you.jpg.scr
is_this_you.scr
love_04.jpg.scr
love_04.scr
new_year.scr
with_love.scr
Photo_01.pif
Admirer_005.scr
Scanned_03.scr
Sexy_02.scr
IMG_001.scr
Just_For_You.pif
Your_Pic.scr
Lover_01.scr
Corrupt.pif
Corrupt.scr
details.pif
details.scr
File.pif
File.scr
Party.pif
Party.scr
The worm sends itself using the SMTP library ANSMTP.DLL. As it uses an unregistered copy of ANSMTP.DLL, the following text is added to the bottom of each message it sends:
Current email was sent by an Evaluation License.
Note: This footer will be removed with Licensed Version
The worm finds addresses to send itself to by searching in files with the following extensions:
.adb
.asp
.dbx
.doc
.htm
.php
.sht
.tbb
.txt
.wab
.html
or by sourcing addresses from Yahoo Mailer, Yahoo Buddy and .NET Messenger.
In variants .A, .B, .C and .D it avoids using addresses that contain the following strings:
adaware
nod32
trendmicro
avguk
grisoft
pandasoftware
sophos
sophos
.gov
symantec
lavasoft
mcafee
kaspersky
In more recent variants, the worm avoids addresses containing these strings:
ada
nod
icro
avg
gri
panda
soph
sophos
.gov
symac
lavat
mcae
rsky
It attempts to use the correct sender address, which it reads from the following registry value:
HKCU\Software\Microsoft\Internet Account Manager\Accounts\00000001\SMTP Email Address
If it can't read this value, it uses one from its own list, similar to the following example (taken from the .B variant):
dead_poet@hotmail.com
alex_edwards2000@msn.com
romeorichard@google.com
apiffany@cnet.com
sexy_lil_thing@no-ip.com
cutie_pie@ogrish.com
easy_lay666@lovenet.com
hunk_hogan78@hallmark.com
britany_slut56@sex.com
tit_fuck_909@gmail.com
good_fuck12@yahoo.com
blowjob_lips666@romance.com
tit_fuck_909@paltalk.com
sexy_guy88@aol.com
mucle_bound_hunk892@download.com
Back to top
Payload
Modifies Hosts File
The Hosts file contains the mappings of IP addresses to host names. Windows checks the Hosts file before it queries any DNS servers, which enables it to override addresses in the DNS. On XP, 2000 and NT systems the hosts file is located at %System%\drivers\etc\hosts: on 9x systems the hosts file is located at %Windows%\hosts.
Some Mugly variants modify the hosts file in an attempt to block access to particular antivirus sites. Mugly.C, for example, blocks access to the following sites:
downloads-us1.kaspersky-labs.com
downloads-us2.kaspersky-labs.com
downloads-us3.kaspersky-labs.com
downloads-us4.kaspersky-labs.com
downloads1.kaspersky-labs.com
downloads2.kaspersky-labs.com
downloads3.kaspersky-labs.com
ftp.downloads1.kaspersky-labs.com
ftp.downloads2.kaspersky-labs.com
ftp.downloads3.kaspersky-labs.com
liveupdate.symantec.com
liveupdate.symantecliveupdate.com
rads.mcafee.com
symantecliveupdate.com
symatec.com
tony@hotmail.com
update.symantec.com
updates1.kaspersky-labs.com
updates2.kaspersky-labs.com
updates3.kaspersky-labs.com
Analysis by Paul Taylor
Back to top