Threat Descriptions

MissWorld

Classification

Category :

Malware

Type :

Worm

Platform :

W32

Aliases :

MissWorld, I-Worm.MsWorld, W32/MWrld-mm, W32/MissWorld-mm

Summary

This email worm is spreading using MS Outlook. The worm itself is Win32 executable file about 130K of length written in Visual Basic language.

Removal

Based on the settings of your F-Secure security product, it will either move the file to the quarantine where it cannot spread or cause harm, or remove it.

A False Positive is when a file is incorrectly detected as harmful, usually because its code or behavior resembles known harmful programs. A False Positive will usually be fixed in a subsequent database update without any action needed on your part. If you wish, you may also:

  • Check for the latest database updates

    First check if your F-Secure security program is using the latest updates, then try scanning the file again.

  • Submit a sample

    After checking, if you still believe the file is incorrectly detected, you can submit a sample of it for re-analysis.

    Note: If the file was moved to quarantine, you need to collect the file from quarantine before you can submit it.

  • Exclude a file from further scanning

    If you are certain that the file is safe and want to continue using it, you can exclude it from further scanning by the F-Secure security product.

    Note: You need administrative rights to change the settings.

Technical Details

When the worm file is run (double click on attached EXE file) it displays the following picture:

and then three other pictures that are not Miss World pictures as it is written in the worm. After that the worm runs its spreading and two trojan routines.

To spread the worm uses a standard way. It connects to MS Outlook, gets up to 50 addresses from address book and sends messages to there. The messages have: 

Subject: Miss World
 Body:

Hi, %username%
 Enjoy the latest pictures of Miss World from various Country

The attached file has the name of original EXE file that was activated. The "original" EXE file name in which the worm was received is MSWORLD.EXE.

Next the worm appends to the end of C:\AUTOEXEC.BAT file DOS batch commands that display the message: 

This Everything for my Girl Friend........., (CatEyes, KRSSL, SS Hostel)

and then format all local fixed drives.

The worm then tries to delete the system registry files and their backups: 

 SYSTEM.DAT, SYSTEM.DA0, USER.DAT, USER.DA0

Because .DAT these files are usually locked by system, the worm fails to delete them. Then the worm exits.