Lumension® Endpoint Intelligence Center

Intelligence Center » Browse All Threats » W32/Wingin.A@mm


Threat Risk LOW LOW
Destructivity MEDIUM MEDIUM
Payload Deletes files
Detection files published 04 Jun 2002 03:00:00
Description created 04 Jun 2002 08:27:00
Description updated 05 Jun 2002 09:27:00
Malware type WORM
Spreading mechanism EMAIL
Summary None



When run, it will copy itself to many files on the hard disk, in several directories. It seems to have a special affinity for the "My documents" folder.The attachment file names will picked from the following list:Setup98_Microsoft_patch120679.exeBorland_Install32_Beta080279.exeInstall32_Beta12061979_Fixed.exeInstall_Wizard.exe3DFxText_FULL281058_DEMO.exeFx3d_FULL_291182_DEMO.exeNude_Patch_10110001_BETA.exeAnimations_PATCH_SETUP.scrWhen the worm copies itself around, but not mailing itself, it may use some of the following names with random EXE or SCR extension:3DFX, Picture, 1st_ONE, Anim3D, Flowers, Jasmin, Red_Rose, InetSetup, ConAgent, Installer, Setup32, SetupMSI.Also the names Nude_setup.exe, FreeSexx.exe, AsianGirls.exe, AmateurGirls.exe, Update.exe, Nude.exe, Sex_Setup.exe and Animated.scr may be used.In the Windows System directory there will be two or three worm files; one will always be called I386.EXE. The worm also copies itself to the floppy if one is present, as Setup.exe.The worm presents the user with a small error message, claiming that it could not install due to lacking files. After this, it will send itself on mail to everyone in the Outlook address book.It installs itself in the registry so that it is started at bootup; this is done by inserting the valueHKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\ Run\I386 = & lt;SystemDir& gt;\I386.EXEinto the registry.The worm also contains code to send itself over IRC. This code will be inserted into the mIRC startup file MIRC.INI on second startup of the worm. At this time it will also install a registry keyHKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\ ComputerName\ComputerName\ComputerName=I-WORM-IWING-XXwhere the XX denotes a two-digit number.The worm may also copy itself to network drives; this is done by dropping a small VB script which performs the file copying.

Payload Details

When the worm is run the second time, it will display a small "death's head" icon in the system tray. Moving the mouse cursor over this will cause a hint to be shown; saying "Left Click For More Additional Help and Informations..!". If the icon is left clicked, the worm attempts to delete files matching the pattern below:C:\MyDocu~1\*.doc C:\MyDocu~1\*.xls\*.ini\*.drv\*.*C:\WINNT\*.*C:\WINNT\SYSTEM32\*.*In our tests, it did not always succeed in this.If the icon mentioned above is right-clicked, it will disappear, and no destructive action will be taken.





Last Updated: 12 Nov 2015 11:06:14