Enterasys - Secure Networks

There is nothing more important than our customers.
Skip to content

ENSRT Incident Note ETS-i-2005-12515

The Enterasys Networks Security Response Team (ENSRT) publishes incident notes to provide information for our constituents to raise awareness of issues deemed threatening to the security and integrity of our customers.

Worm - W32.Mugly.D@mm and W32.Randex.gen

Release Date: 01/13/2005
Last Updated:

Print this alert

Overview

The W32.Mugly.D@mm is a mass mailer virus that spreads via an embedded SMTP engine. If executed, an additional worm from the W32.Randex family is installed on the infected PC allowing remote access via IRC channels.

Also Known As: W32/Wurmark-D [Sophos]

Systems affected

Windows operating systems

Systems not affected

Linux and MAC/OSX

Description

The W32.Mugly.D@mm mass mailer arrives in the user mailbox as an e-mail with one of the following bodies:

"
HAPPY NEW YEAR!!!

All the best in new year from our family
here is a litle attachment to make you smile in new year
email me back haha...
"

or

"
MARY CHRISTMAS from our family

All the best in new year and christams from our family
i was lauging like mad when i saw it! :D
"

The e-mail also contains an attachment named "attached.zip" containing the imbedded executable virus with one of the following names:

Sexy_new_year.scr
HOT_NEW_YEAR.scr
Marry_christmas.scr
with_love.scr
From_my_hart.scr
new_year.scr
Hot_new_year.scr

If the attached ".zip" file is unzipped and the imbedded worm executed, the user PC will be infected and display the image of nude models in a WEB browser. Additionally, the W32.Mugly.D@mm will install a worm variant from the W32.Randex.gen family allowing for the possibility that backdoor IRC channels are opened for remote execution of commands on the conquered PC.

Once the worm installation is complete, further proliferation is attempted by the W32.Mugly.D@mm worm. E-mail addresses from the conquered PC's file system are harvested and a mass mailing component is launched via an embedded SMTP engine.

Lastly, the W32.Mugly.D@mm worm may attempt to terminate anti-virus or other security related applications on the infected machine.

Threat Assessment

Mass-mailing worms if not addressed through prudent remediation steps may congest mail servers and/or degrade network performance. Mass-mailing worms may impact individual system performance and compromise security settings allowing unauthorized remote access to the compromised host.

Trojans or backdoor listeners if not addressed through prudent remediation steps, can compromise network and host security. Additionally, trojans and backdoor listeners potentially allow theft of information, unauthorized remote access, and damage to critical files.

Remediation

Matrix N7
 X
Matrix E7
 X
Matrix E6
 X
Matrix E5
 X
Matrix E1
 X
VH
 X

Detection

Updated IDS signatures can be downloaded here: https://dragon.enterasys.com (requires login)

Prevention

Trusted End System solutions are capable of monitoring various end system activity. TES is able to take immediate action such as firewalling specific IPs, TCP/UDP ports, applications, or placing the user into a Quarantine policy or VLAN until end system threat is mitigated. Learn more at: http://www.enterasys.com/solutions/secure-networks/trusted_end_system/

Containment

Using Enterasys Policy Manager, enforce a policy that allows SMTP traffic from end user PCs to authorized SMTP mail servers and blocks SMTP traffic to unauthorized end users or unknown Internet systems. If the SMTP protocol is not implemented for end users within the enterprise, consider implementing a policy blocking SMTP traffic from end user ports.

Repair

Monitor SMTP mail server logs to locate infected users sending multiple copies of the worm e-mail matching the previously defined subject and body. Once isolated, see your anti-virus vendor for Windows repair procedures for infected users.

References

http://securityresponse.symantec.com/avcenter/venc/data/w32.mugly.d@mm.html
http://securityresponse.symantec.com/avcenter/venc/data/w32.randex.gen.html

This document and the information contained herein are intended solely for informational use. Enterasys Networks, Inc. makes no representations or warranties of any kind, whether expressed or implied, with respect to this information and assumes no responsibility for its accuracy or completeness. Enterasys Networks, Inc. hereby disclaims all liability and warranty for any information contained herein and all the material and information herein exists to be used only on an "as is" basis. More specific information may be available on request. By your review and/or use of the information contained herein, you expressly release Enterasys from any and all liability related in any way to this information.    

A copy of the text of this section is an uncontrolled copy, and may lack important information or contain factual errors. All information herein is Copyright ©Enterasys Networks, Inc. All rights reserved. All information above is subject to change without notice.    

Revision History:

Version: 1.0

Date: 01/13/2005

Author: ENSRT STAFF

Change

There is nothing more important than our customers