The Mywife.E Worm

Here is an update from the Microsoft anti-malware team regarding the recent variant of the Mywife mass mailing worm. The mails' subject and body may vary. However they include an attachment that looks like a ZIP file while it is actually a malicious executable file. The naming for this worm is really all over the place (such as Nyxem, Blackmal, Grew, Kasper, and Tearec) but most vendors have been referring to it in their write-ups using its CME ID of 24. Our analysis of the worm can be found here. As described in the write-up, the worm will corrupt common document format files, first on February 3rd 2006 and on the third day of every month moving forward. As always, we strongly recommend running an up-to-date antivirus program on your computers and being wary of opening suspicious e-mail attachments even if they were sent from a familiar mail address.

Microsoft releases a new version of the Windows Malicious Software Removal Tool every month on the second Tuesday of the month together with the other security updates. The next version, targeted for release on February 14th will detect and remove this worm. Also, the beta version of Windows OneCare Live protects against this threat. It can be obtained here:  https://www.windowsonecare.com.

Finally, there has been significant discussion regarding the web-based counter that the worm uses and attempts to map the values of the counter to infection statistics. Our investigation has revealed that the web counter that is incremented by the malicious software is being artificially manipulated by outside parties.  It is therefore not a trustworthy indication of the infection rate or of the total of infected computers.  Instead, we utilize our industry partnerships as well as our own internal data to help gauge the impact to customers.  This information has revealed that the attack is limited at this time.