Kaspersky Threats — Mawanella

Class

Platform

Description

Technical Details

This Internet worm spreads via e-mail messages using MS Outlook. The worm is written in Visual Basic Script language (VBS) and spreads as a “Mawanella.vbs”
file attached to an e-mail message.

This is a typical Loveletter-like VBS worm; however, it is encrypted (encoded) to bypass heuristic scanners.

This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected
computer sends as many messages to as many addresses that are kept in the MS Outlook contacts list.

It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To
spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Oulook versions is installed.

The infected message in the original worm version appears as follows:

Subject = “Mawanella”
Body = “Mawanella is one of the Sri Lanka’s Muslim Village”
Attached file name = “Mawanella.vbs”

If a computer doesn’t have MS Outlook installed, the worm simply displays a message:

Please Forward this to everyone

After spreading, the worm displays the following message:

The worm doesn’t mark infected computers in any way, thus it will send infected messages each time a user activates the worm’s VBS file.

Class	Email-Worm
Platform	VBS
Description	Technical Details This Internet worm spreads via e-mail messages using MS Outlook. The worm is written in Visual Basic Script language (VBS) and spreads as a “Mawanella.vbs” file attached to an e-mail message. This is a typical Loveletter-like VBS worm; however, it is encrypted (encoded) to bypass heuristic scanners. This worm spreads via e-mail by sending infected messages from infected computers. While spreading, the worm uses MS Outlook, and sends itself to all addresses that are stored in the MS Outlook Address Book. As a result, an infected computer sends as many messages to as many addresses that are kept in the MS Outlook contacts list. It works only on computers on which the Windows Scripting Host (WSH) is installed. In Windows 98 and Windows 2000, WHS is installed by default. To spread itself, the worm accesses MS Outlook and uses its functions and address lists. This is available in Outlook 98/2000 only, so the worm is able to spread only in the case that one of these MS Oulook versions is installed. The infected message in the original worm version appears as follows: Subject = “Mawanella” Body = “Mawanella is one of the Sri Lanka’s Muslim Village” Attached file name = “Mawanella.vbs” If a computer doesn’t have MS Outlook installed, the worm simply displays a message: Please Forward this to everyone After spreading, the worm displays the following message: The worm doesn’t mark infected computers in any way, thus it will send infected messages each time a user activates the worm’s VBS file.

Email-Worm.VBS.Mawanella

Technical Details