Discovered on: March 6, 2001
Last Updated on: March 6, 2001 at 03:20:12 PM PST
is a mass mailing worm that disguises itself as flash movie. The attachment is named NakedWife.exe. This worm, after it has attempted to email everyone in the Microsoft Outlook address book, will attempt to delete several system files. This will leave the system unusable, requiring a re-install.
NOTE: This worm was previously detected as [email protected]
Category: Trojan Horse, Worm
Virus Definitions: March 6, 2001
Number of infections: 50 - 999
Number of sites: 3 - 9
Geographical distribution: Medium
Threat containment: Moderate
Payload Trigger: Every time that the worm is executed
Deletes files: Attempts to delete several files from the \Windows and \Windows\System folders
Subject of email: Fw: Naked Wife
Name of attachment: NakedWife.exe
Size of attachment: 73,728 bytes
When first executed, [email protected]
displays a window that appears to be loading a Flash movie. The window will display the words "JibJab." If you click the "Help > About Windows" menu, the following message will be displayed:
You're are now F***ED. (c) 2001 by BGK (Bill Gates Killer)
In the background, while the flash movie is "loading", this worm attempts to send itself to everyone in the Microsoft Outlook address book. The message that this worm sends is as follows:
My wife never look like that! ;-)
where [UserName] is the user name that was used when registering Microsoft Outlook.
After the worm has attempted to mass-mail itself, it will attempt to delete all files from the \Windows and \Windows\System folders that have any of the following extensions:
If this payload is executed, the only way to get the system back to an operational state is to reinstall it.
SARC has also received several corrupted samples. The corrupted variant of this worm will be detected as W32.Naked.dam. The corrupted variant cannot cause any damage to the system. However, if found, it should be deleted.
To remove this worm:
1. Run LiveUpdate to make sure that you have the most recent virus definitions.
2. Start Norton AntiVirus (NAV), and then run a full system scan, making sure that NAV is set to scan all files.
3. Delete any files detected as [email protected]
If the worm has been executed, it is very likely that you will have to reinstall Windows.
Write-up by: Andre Post and Neal Hindocha
ORC Land Use Section Editor
Vice-Pres. Rock Garden 4 Wheelers, Farmington, NM