McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
Create Account | Login  | What is TrustedSource?
 
Home  Threats and Trends  Malware Information
TrustedSource™ Query
Enter IP address, domain name or URL to check reputation/traffic patterns:
Search
 


Malware Information

Malware nameWorm.McMaggot.A
TypeWorm
Affected platformWin32
Media-Typeapplication/executable
MD5 checksum0AA203943D1E264973B2993CA09EF4C3
Static fileyes
Filesize449,024 Bytes
Alias names
(also known as)
SophosW32/Autorun-RI
McAfeeW32/Xirtem@MM
CA ETrustWin32/Mytob.OO
Side effects
  • Drops a malicious file
  • Uses its own Email engine
  • Lowers security settings
  • Registry modification
PropagationEmail

Description:

Files

It copies itself to the following location:
• %SYSDIR%\vxworks.exe



The following file is created:

– %SYSDIR%\qnx.exe Furthermore it gets executed after it was fully created. Further investigation pointed out that this file is malware, too. Detected as: 4200

Registry

One of the following values is added in order to run the process after reboot:

– HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
• Wind River Systems"="c:\windows\\system32\\vxworks.exe



The following registry keys are changed:

– HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\
FirewallPolicy\StandardProfile\AuthorizedApplications\List
New value:
• c:\windows\\system32\\vxworks.exe"="c:\windows\\system32\\vxworks.exe:*:Enabled:Explorer

Email

It contains an integrated SMTP engine in order to send emails. A direct connection with the destination server will be established. The characteristics are described in the following:


From:
The sender address is spoofed.
The sender of the email is one of the following:
• giveaway@mcdonalds.com
• noreply@coca-cola.com
• postcards@hallmark.com


Subject:
One of the following:
• Coca Cola is proud to accounce our new Christmas Promotion.
• Mcdonalds wishes you Merry Christmas!
• You've received A Hallmark E-Card!



Attachment:
The filename of the attachment is one of the following:
• coupon.zip
• postcard.zip
• promotion.zip

The attachment is an archive containing a copy of the malware itself.



File details

Programming language:
 The malware program was written in MS Visual C++.


Runtime packer:
In order to aggravate detection and reduce size of the file it is packed with a runtime packer.
McAfee Homepage | Contact | Privacy Policy

Copyright © 2007-2009 McAfee, Inc. All Rights Reserved.

THE DATA IS FURNISHED, "AS IS" WITHOUT ANY WARRANTY OF ANY KIND, AND MCAFEE® HEREBY DISCLAIM ALL WARRANTIES, EXPRESS, IMPLIED OR STATUTORY INCLUDING, WITHOUT LIMITATION, ALL IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE, AND ANY WARRANTIES AS TO NON-INFRINGEMENT, AND IN NO EVENT SHALL MCAFEE® BE LIABLE FOR COSTS OF PROCURING SUBSTITUTE GOODS. IN NO EVENT WILL MCAFEE® BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL, INCIDENTAL, EXEMPLARY, OR OTHER DAMAGES WHETHER OR NOT MCAFEE® HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH LOSS OR DAMAGE.