Email-Worm:W32/NakedWife

Classification

Category :

Malware

Type :

Email-Worm

Aliases :

Email-Worm:W32/NakedWife

Summary

A worm that spreads via email, usually in infected executable email file attachments.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

Email-Worm:W32/NakedWife is an email worm that spreads as an attachment called NakedWife.exe. The worm uses MS Outlook Address Book to find email addresses and sends itself to these addresses with the help of MS Outlook application. NakedWife has a destructive payload.

The worm is a PE executable about 74 kb long written in Visual Basic. The most probable origin is Brazil.

Execution

When the worm is run it shows a dialog box that looks like a ShockWave Flash executable animation's dialog. The dialog looks like:

All menus in this dialog box are fake except the 'Help' menu. When a user clicks on it, the worm displays a messagebox:

It should be noted that the worm's file has an icon similar to ShockWave Flash executable animation files and can confuse many users.

Payload

After the worm sends itself it performs a destructive action.

It deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM and *.BMP files (in that order) in root Windows folder and then deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM, and *.BMP files in Windows System folder.

A system attacked by this worm becomes unusable shortly after that.

Propagation (email)

After the worm shows its dialog box, it opens MS Outlook Address Book and sends itself to all addresses found there. The infected message has the worm's executable as NakedWife.exe attached. The infected message looks like that:

Subject:Fw: Naked Wife Body:My wife never look like that! ;-) Best Regards,
[Current User]

where [Current User]is the name of an infected computer's user.