Threat Description

Email-Worm: ​W32/NakedWife


Category: Malware
Type: Email-Worm
Platform: W32
Aliases: Email-Worm:​W32/NakedWife


A worm that spreads via e-mail, usually in infected executable e-mail file attachments.


Automatic action

Once detected, the F-Secure security product will automatically disinfect the suspect file by either deleting it or renaming it.

More scanning & removal options

More information on scanning or removal options is available in the documentation for your F-Secure security product on the Downloads section of our Home - Global site.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

For further assistance, F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Email-Worm:W32/NakedWife is an e-mail worm that spreads as an attachment called NakedWife.exe. The worm uses MS Outlook Address Book to find e-mail addresses and sends itself to these addresses with the help of MS Outlook application. NakedWife has a destructive payload.

The worm is a PE executable about 74 kb long written in Visual Basic. The most probable origin is Brazil.


When the worm is run it shows a dialog box that looks like a ShockWave Flash executable animation's dialog. The dialog looks like:

All menus in this dialog box are fake except the 'Help' menu. When a user clicks on it, the worm displays a messagebox:

It should be noted that the worm's file has an icon similar to ShockWave Flash executable animation files and can confuse many users.


After the worm sends itself it performs a destructive action.

It deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM and *.BMP files (in that order) in root Windows folder and then deletes all *.INI, *.LOG, *.DLL, *.EXE, *.COM, and *.BMP files in Windows System folder.

A system attacked by this worm becomes unusable shortly after that.

Propagation (E-mail)

After the worm shows its dialog box, it opens MS Outlook Address Book and sends itself to all addresses found there. The infected message has the worm's executable as NakedWife.exe attached. The infected message looks like that:

Subject:Fw: Naked Wife Body:My wife never look like that! ;-) Best Regards,  [Current User]  

where [Current User]is the name of an infected computer's user.

Description Details: Analysis: Alexey Podrezov; F-Secure; March 2001


Suspect a file or URL was wrongly detected? Submit a sample to our Labs for analysis

Submit Now

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

Learn More