Security Advisory
Microsoft Security Advisory 904420
Win32/Mywife.E@mm
Published: January 30, 2006 | Updated: February 01, 2006
Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.
Customers using Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, or Windows Server 2003 Service Pack 1 may be at reduced risk from this malware; if the account password is blank, the account is not valid as a network credential. In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server 2003, a blank password is better than a weak password. By default, blank passwords can only be used locally in Windows XP and Windows Server 2003.
Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.
On systems that are infected by Win32/Mywife@E.mm, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.
As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependent on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect. It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with "Administrator" as the user name together with a blank password.
Customers who believe that they are infected with the Mywife malware, or who are not sure whether they are infected, should contact their antivirus vendor. Alternatively, Windows Live Safety Center Beta Web site provides the ability to choose “Protection Scan” to ensure that systems are free of infection. Additionally, the Windows OneCare Live Beta, which is available for English language systems, provides detection for and protection against the Mywife malware and its known variants.
For more information about the Mywife malware, to help determine whether you have been infected by the malware, and for instructions on how to repair your system if you have been infected, see the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references, see the “Overview” section. We continue to encourage customers to use caution with unknown file attachments and to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.
General Information
Overview
Purpose of Advisory: To make customers aware of the Win32/Mywife.E@mm malware that targets systems that are running Microsoft Windows.
Advisory Status: Advisory published
Recommendation: Review the suggested actions, scan for infected systems, and clean infected systems.
| References | Identification |
|---|---|
| Microsoft Virus Encyclopedia | Win32/Mywife.E@mm |
| Windows OneCare | https: |
| Windows Live SafetyCenter Beta | </https:>https: |
| CME Reference | CME-24 |
This advisory discusses the following software.
| Related Software |
| Microsoft Windows 2000 Service Pack 4 |
| Microsoft Windows XP Service Pack 1 |
| Microsoft Windows XP Service Pack 2 |
| Microsoft Windows XP Professional x64 Edition |
| Microsoft Windows Server 2003 |
| Microsoft Windows Server 2003 for Itanium-based Systems |
| Microsoft Windows Server 2003 Service Pack 1 |
| Microsoft Windows Server 2003 with SP1 for Itanium-based Systems |
| Microsoft Windows Server 2003 x64 Edition |
| Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) |
Frequently Asked Questions
What is the scope of the advisory?
To make customers aware of the Mywife malware that affects Windows-based computers and to describe steps they can take to help prevent and remediate possible infection.
Is this a security vulnerability that requires Microsoft to issue a security update?
No. This is not a security vulnerability. This advisory is being issued to provide additional information for users who could be infected by the Mywife malware.
What is the potential damage?
On the third day of every month, beginning Friday February 3, this variant of the malware resets the content of files that have specific file name extensions. It searches for files on the hard disk that have the following file name extensions and replaces their contents with "DATA Error [47 0F 94 93 F4 K5]":
- .doc
- .xls
- .mdb
- .mde
- .ppt
- .pps
- .zip
- .rar
- .psd
- .dmp
For more information, see the Microsoft Virus Encyclopedia.
Some sources indicate that millions of computers are infected. How does Microsoft scope the infection? Our analysis has determined that the Web counter is being artificially manipulated. The data the Web counter references is not a trustworthy indication of infection rate or of the total of infected computers. Instead, we use our industry partnerships and our own internal data to help gauge the impact to customers. This information has revealed that the attack is much more limited and is not in the range of millions at this time.
Will my antivirus software help protect me from exploitation of this malware?
The following members of the Virus Information Alliance have indicated that their antivirus software helps provide protection from exploitation of the Mywife malware.
| Aladdin |
| Computer Associates |
| F-Secure |
| Kaspersky |
| McAfee |
| Norman |
| Panda |
| Symantec |
| Trend Micro |
| ESET |
| Sophos |
Suggested Actions
Use up-to-date antivirus software
Most antivirus software can detect and prevent infection by known malicious software. You should always run antivirus software that is automatically updated with the latest signature files to help protect you from infection. If you do not have antivirus software installed, you can get it from one of several companies. For more information, visit the following Web site: </https:>https:Use caution with unknown attachments
Use caution before you open unknown e-mail attachments, even if you know the sender. If you cannot confirm with the sender that a message is valid and that an attachment is safe, delete the message immediately. Then, run up-to-date antivirus software to check your computer for viruses.Use strong passwords
Strong passwords on all privileged user accounts, including the Administrator account, will help block this malware's attempt to spread through network shares.Note In an environment where you can guarantee physical security, you do not need to use the account across the network, and you are using Windows XP or Windows Server 2003, a blank password is better than a weak password. By default, blank passwords can only be used locally in Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. If the account password is blank, the account is not valid as a network credential. For more information, see the product documentation
Protect Your PC
We continue to encourage customers follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.For more information about staying safe on the Internet, customers can visit theMicrosoft Security Home Page.
Other Information
Resources:
- You can provide feedback by completing the form by visiting the following Web site.
- Customers in the U.S. and Canada can receive technical support from Microsoft Product Support Services. For more information about available support options, see the Microsoft Help and Support Web site.
- International customers can receive support from their local Microsoft subsidiaries. For more information about how to contact Microsoft for international support issues, visit the International Support Web site.
- The Microsoft TechNet Security Web site provides additional information about security in Microsoft products.
Disclaimer:
The information provided in this advisory is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply.
Revisions:
- January 30, 2006: Advisory published
- February 1, 2006: Additional information about the blank password restriction functionality in Windows XP Service Pack 1, Windows XP Service Pack 2, Windows Server 2003, and Windows Server 2003 Service Pack 1. Added link to Virus Information Alliance member Sophos.
Built at 2014-04-18T13:49:36Z-07:00 </https:>