Worm:Win32/Wukill.J@mm is a mass-mailing e-mail worm that also spreads by copying itself to drives A:, C:, D:, E:, G: and H:. This worm may also disable viewing of file extensions and paths in Windows Explorer.
Installation
If this worm is executed, it will drop a copy of itself with a random name into the folder %windir%\fonts. The worm then registers itself to run at Windows start.
Adds value: TempCom
With data: "%windir%\fonts\<worm random name>.com
To subkey: HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\Currentversion\Run
The worm may open the Desktop folder.
Spreads Via…
Folder & Drive Copy
The worm may copy itself to other folders and drives as the following:
%windir%\system\random name
%windir%\web\random name
%windir%\fonts\random name
%windir%\temp\random name
%windir%\help\random name
A:\WINDOWS.EXE
A:\Explorer.EXE
C:\Windows.exe
D:\Windows.exe
E:\Windows.exe
G:\Windows.exe
H:\Windows.exe
Win32/Wukill.J may drop additional files in the root directory of drives C:, D:, E:, G: and H:
folder.htt
desktop.ini
Ghost.bat
E-mail
Worm:Win32/Wukill.J@mm may distribute a copy of itself as an attachment by sending e-mail messages to contacts found in the Microsoft Outlook Address Book. The worm composes messages simliar to the one shown below, and attaches a copy of itself as an attachment:
From:<Mywoman @ 163.com>
To:<users in address book>
Subject: <non-English characters>
Message body:
<non-English characters>
Attachment: <non-English characters>.exe
Payload
Disables Viewing Extensions & Paths
The worm modifies registry data to disable viewing of file extensions in Windows Explorer.
Modifies value: HideFileExt
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Win32/Wukill may disable viewing of file paths in Windows Explorer by altering registry data.
Modifies value: Fullpath
With data: 1
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\CabinetState
Lastly, Win32/Wukill may disable viewing of system protected files by changing registry data.
Modifies value: Hidden
With data: 0
In subkey: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Analysis by Tim Liu
