Anti-Malware Engineering Team

This blog provides information about what's happening in the anti-malware technology team at Microsoft. We're the team that builds the core antivirus, antispyware, anti-rootkit, and related technology, which is then used across a number of Microsof

Blogs

The Mywife.E Worm

  • Comments 1
  • Likes

Here is an update from the Microsoft anti-malware team regarding the recent variant of the Mywife mass mailing worm. The mails' subject and body may vary. However they include an attachment that looks like a ZIP file while it is actually a malicious executable file. The naming for this worm is really all over the place (such as Nyxem, Blackmal, Grew, Kasper, and Tearec) but most vendors have been referring to it in their write-ups using its CME ID of 24. Our analysis of the worm can be found here. As described in the write-up, the worm will corrupt common document format files, first on February 3rd 2006 and on the third day of every month moving forward. As always, we strongly recommend running an up-to-date antivirus program on your computers and being wary of opening suspicious e-mail attachments even if they were sent from a familiar mail address.

Microsoft releases a new version of the Windows Malicious Software Removal Tool every month on the second Tuesday of the month together with the other security updates. The next version, targeted for release on February 14th will detect and remove this worm. Also, the beta version of Windows OneCare Live protects against this threat. It can be obtained here:  http://www.windowsonecare.com.

Finally, there has been significant discussion regarding the web-based counter that the worm uses and attempts to map the values of the counter to infection statistics. Our investigation has revealed that the web counter that is incremented by the malicious software is being artificially manipulated by outside parties.  It is therefore not a trustworthy indication of the infection rate or of the total of infected computers.  Instead, we utilize our industry partnerships as well as our own internal data to help gauge the impact to customers.  This information has revealed that the attack is limited at this time.

Comments
  • I've read that this virus will start destroying customer data on February 3, and has already infected over a million computers.

    [http://msmvps.com/blogs/harrywaldron/archive/2006/01/26/81843.aspx]

    Is releasing a new malware removal tool on February 14 a little like "closing the stable door after the horse has bolted"?

    As you say, OneCare takes care of this already - does http://safety.live.com?

    Are there other scan / removal tools that we could be pointing friends and family to in advance of February 3?

Your comment has been posted.   Close
Thank you, your comment requires moderation so it may take a while to appear.   Close
Leave a Comment