Microsoft Security Advisory (904420): Win32/Mywife.E@mm

Microsoft Security Advisory (904420)
Published: January 30, 2006 | Updated: February 1, 2006

Microsoft wants to make customers aware of the Mywife mass mailing malware variant named Win32/Mywife.E@mm. The mass mailing malware tries to entice users through social engineering efforts into opening an attached file in an e-mail message. If the recipient opens the file, the malware sends itself to all the contacts that are contained in the system’s address book. The malware may also spread over writeable network shares on systems that have blank administrator passwords.


You have a few days to make sure your AV is up to date and that you have run a full scan of ALL of your PC’s on your network.

I have included the full post from MS website in the extended entry below, but as always, use the MS website at the link above to get the most up to date information.

Customers who are using the most recent and updated antivirus software could be at a reduced risk of infection from the Win32/Mywife.E@mm malware. Customers should verify this with their antivirus vendor. Antivirus vendors have assigned different names to this malware but the Common Malware Enumeration (CME) group has assigned it ID CME-24.

On systems that are infected by Win32/, the malware is intended to permanently corrupt a number of common document format files on the third day of every month. February 3, 2006 is the first time this malware is expected to permanently corrupt the content of specific document format files. The malware also modifies or deletes files and registry keys associated with certain computer security-related applications. This prevents these applications from running when Windows starts. For more information, see the Microsoft Virus Encyclopedia.

As with all currently known variants of the Mywife malware, this variant does not make use of a security vulnerability, but is dependent on the user opening an infected file attachment. The malware also attempts to scan the network looking for systems it can connect to and infect. It does this in the context of the user. If it fails to connect to one of these systems, it tries again by logging on with “Administrator” as the user name together with a blank password.

Customers who believe that they are infected with the Mywife malware, or who are not sure whether they are infected, should contact their antivirus vendor. Alternatively, Windows Live Safety Center Beta Web site provides the ability to choose “Protection Scan” to ensure that systems are free of infection. Additionally, the Windows OneCare Live Beta, which is available for English language systems, provides detection for and protection against the Mywife malware and its known variants.

For more information about the Mywife malware, to help determine whether you have been infected by the malware, and for instructions on how to repair your system if you have been infected, see the Microsoft Virus Encyclopedia. For Microsoft Virus Encyclopedia references, see the “Overview” section. We continue to encourage customers to use caution with unknown file attachments and to follow our Protect Your PC guidance of enabling a firewall, getting software updates, and installing antivirus software. Customers can learn more about these steps by visiting the Protect Your PC Web site.

Authentium W32/Kapser.A@mm
AntiVir Worm/KillAV.GR
Avast! Win32:VB-CD [Wrm]
AVG Worm/Generic.FX
BitDefender Win32.Worm.P2P.ABM
ClamAV Worm.VB-8
Command W32/Kapser.A@mm (exact)
Dr Web Win32.HLLM.Generic.391
eTrust-INO Win32/Blackmal.F!Worm
eTrust-VET Win32/Blackmal.F
F-Prot W32/Kapser.A@mm (exact)
F-Secure Email-Worm.Win32.Nyxem.e
Fortinet W32/Grew.A!wm
Ikarus Email-Worm.Win32.VB.BI
Kaspersky Email-Worm.Win32.Nyxem.e
McAfee W32/MyWife.d@MM
Nod32 Win32/VB.NEI worm
Norman W32/Small.KI (W32/Small.KI@mm)
Panda W32/Tearec.A.worm (W32/MyWife.E.Worm)
QuickHeal I-Worm.Nyxem.e
Sophos W32/Nyxem-D
Symantec W32.Blackmal.E@mm
VBA32 Email-Worm.Win32.VB.b
VirusBuster Worm.P2P.VB.CIL