Threat description




Wurmark.L is an e-mail worm that spreads using several different languages. It also drops a variant of Rbot on the infected system.


Automatic action

Depending on the settings of your F-Secure security product, it will either automatically delete, quarantine or rename the suspect file, or ask you for a desired action.

More scanning & removal options

More information on the scanning and removal options available in your F-Secure product can be found in the Help Center.

You may also refer to the Knowledge Base on the F-Secure Community site for more information.

Contact Support

F-Secure customers can request support online via the Request support or the Chat forms on our Home - Global site.

Technical Details

Installation to system

When run, the worm drops the following three files from its resource:

bx.exe  bszip.dll  ANSMTP.DLL   

'bx.exe' is a copy of Rbot. 'bszip.dll' and 'ANSMTP.DLL' are used later in e-mail spreading. The work also writes the following files in the Windows system folder:

cmd.com  regedit.com  taskkill.com  tasklist.com  tracert.com  ping.com  netstat.com   

The contents of these files are characters 'MZ'. As 'com' extension is evaluated before 'exe' in Windows program execution, this trick tries to disable the execution of above programs with 'exe' extension.

The worm executes 'bx.exe' which installs itself in system. This file is a variant of Rbot. When 'bx.exe' is run, it copies itself as 'winis.exe' in the Windows system directory and adds the following registry keys:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]  "IE Runtimes" = "%SysDir%\winis.exe"   

This ensures that it will be executed at next system startup. The bot can be used as a backdoor, collecting system information, logging keystrokes, relaying spam and for various other purposes.

The worm also opens a jpg-file from predefined URL. The picture looks like this:

E-mail spreading

Wurmark.L gathers e-mail addresses from the MSN messenger and Yahoo IM client contact lists. The worm uses the dropped SMTP component (ANSMTP.DLL) to send infected messages. It can construct the messages in 7 different languages. The language is selected using the locale of the infected computer.

Here are the possible english messages:

Attachment Returned  This file was rejected by the recipient    You suck!  I have enclosed why you suck and your not going to like it :@    My new details  Hi i've changed email address if you would like to   keep in contact i have enclosed my new details    Party Invite!!  You have been invited to my party   please download the details and tell me if you   will be able to make it , Thanks!   

Here are the possible german messages:

Zubeh r Ging  Diese Akte wurde von der Empf nger zur ckgewiesen    Sie saugen!  Ich habe umgeben, warum Sie saugen und Ihr Gehen nicht zu wie ihm :@    Meine neuen Details  Hallo nderte ive email address, wenn Sie zu m chten   Unterhalt im Kontakt habe ich meine neuen Details umgeben    Beteiligtes Laden!!  Sie sind zu meinem Beteiligten eingeladen worden   ddownloaden Sie bitte die Details und erkl ren Sie mir   wenn Sie in der LageSIND, es zu bilden, Dank!   

Here are the possible french messages:

L'Attachement Est retourn  Ce dossier a rejet par le destinataire    Vous sucez!  J'ai enferm pourquoi vous sucez et votre ne pas aller comme lui :@    Mes nouveaux d tails  Bonjour l'ive a chang le email address si vous voudriez   subsistance en contact j'ai joint mes nouveaux d tails    La Partie Invitent!!  Vous avez invit ma partie t chargez   svp les d tails et me dites si vous pourrez la    faire, merci!   

Possible italian messages:

Il Collegamento Ha rinviato  Questa lima stata rifiutata dal destinatario    Succhiate!  Ho accluso perch succhiate e vostro non andare come ad esso :@    I miei nuovi particolari  Hi il ive ha cambiato il email address se gradiste a   conservazione in contatto ho accluso i miei nuovi particolari    Il Partito Invita!!  Siete stati invitati al mio partito prego   trasferite i particolari dal sistema centrale   verso i satelliti e mi dite se potrete farlo, ringraziamenti!   

Possible portuguese messages:

O Acess rio Retornou  Esta lima foi rejeitada pelo receptor    Voc suga!  Eu inclu porque voc suga e seu n o lhe ir como :@    Usted aspira!  He incluido porqu usted aspira y el su no ir como a l :@    O Partido Convida!!  Voc foi convidado a meu partido download por   favor os detalhes e diz-me se voc pudesse  o   fazer, agradecimentos!   

Possible spanish messages:

El Accesorio Volvi  Este archivo fue rechazado por el recipiente    Usted aspira!  He incluido porqu usted aspira y el su no ir como a l :@    Mis nuevos detalles  Hi el ive cambi email address si usted quisiera a   mantener contacto he incluido mis nuevos detalles    El Partido Invita!!  Le han invitado a mi partido descarga por favor   los detalles y me dice si usted puede hacerlo,   gracias!   

Possible dutch messages:

Het aanhechtsel Keerde Terug  Dit bestand werd door de ontvanger afgekeurd    U zuigt!  Ik heb waarom u zuigt bijgevoegd en uw gaand alsof het niet :@    Mijn nieuwe details  Hi veranderde ive e-mail aanspreekt of u van naar zou houden   Hou in contact ik heb bijgevoegd mijn nieuwe details bij    De partij Uitnodig!!  U bent naar mijn partij alstublieft download de details    uitgenodigd worden en vertel mij indien u hem zult kunnen    maken, Bedankt!   

Attachment name is selected from the following list:

Party.pif  File.pif  Corrupt.pif  details.pif  Party.scr  File.scr  Corrupt.scr  details.scr   

The file is packed inside 'File.zip' which is the actual attachment in the email.


F-Secure Anti-Virus detects Wurmark.L with the following update:

Detection Type: PC

Database: 2005-05-23_02

Submit a Sample

Suspect a file or URL was wrongly detected?
Send it to our Labs for further analysis

Submit a Sample

Give And Get Advice

Give advice. Get advice. Share the knowledge on our free discussion forum.

More Info