TUCoPS :: Malware :: ciacl056.htm

The Naked Wife (W32.Naked@mm) Trojan
The Naked Wife (W32.Naked@mm) Trojan Privacy and Legal Notice


L-056: The Naked Wife (W32.Naked@mm) Trojan

March 6, 2001 21:00 GMT

PROBLEM: A new Trojan program is spreading rapidly around the Internet. The program travels as an executable attachment to an e-mail message purporting to be a flash movie of a naked wife.
PLATFORM: Windows 95, 98, NT, ME, and 2000 with Outlook installed.
DAMAGE: The Trojan destroys multiple files in the Windows and Windows\System folders. If the Trojan is allowed to run to completion, Windows will no longer be able to run and must be reinstalled along with most of your applications. The Trojan does not destroy documents or other user files.
SOLUTION: Do not run executable files attached to e-mail messages unless you were expecting to receive that executable file. Update your virus definitions as soon as the vendors have new signatures available. If you have run this Trojan, you must reinstall Windows and all your applications.

Risk is HIGH. The Trojan is spreading on the net and does serious damage to a computer's operating system.

The Naked Wife (W32.Naked@mm) Trojan

CIAC has information that a new Trojan is rapidly spreading around the Internet. Much like the VBS macro viruses that have been making the rounds lately, this Trojan spreads by using Microsoft Outlook to e-mail itself to everyone in your Outlook address books. This Trojan is not a VBS script file but is a fully compiled Visual Basic executable (.EXE) file. The Trojan is included as an attachment in an e-mail message with the following properties:

From: CurrentUser
Subject: Fw: Naked Wife
Body: My wife never look like that! ;-)
Best Regards, CurrentUser
Attachment: NakedWife.exe

Here, CurrentUser is replaced with the Outlook registered name of the person on whose machine the Trojan is currently running.

The executable attachment appears to be a viewer with pictures of a naked wife but is actually the Trojan program. If you run it, a window opens that looks like a Flash movie reader loading a movie named "JibJab".

The only menu on the window that works is the Help, About command which diaplays a dialog box with a nasty message. While the movie appears to be loading, the Trojan is actually sending itself to everyone in your Outlook address book. When it finishes sending itself, it starts deleting files with the following extensions from your Windows and Windows\System directories.


If the Trojan is allowed to run to completion, your system will not continue running and will not be bootable. Luckily, the Trojan does not destroy documents and other personal files.


Recovery from this Trojan requires the complete reinstallation of your operating system and most of your programs. Any program that stores files in the Windows or Windows\System directories will also be damaged and must be reinstalled. This includes most commercial office applications. Luckily, your personal files and documents are probably not damaged. After your system is working again, look for and delete all files with the name:


As soon as your antivirus company has a signature available, scan your system and delete any files identified as having this Trojan.

CIAC services are available to DOE, DOE Contractors, and the NIH. CIAC can be contacted at:
    Voice:          +1 925-422-8193 (7 x 24)
    FAX:            +1 925-423-8002
    STU-III:        +1 925-423-2604
    E-mail:          ciac@llnl.gov
    World Wide Web:  http://www.ciac.org/
                     (same machine -- either one will work)
    Anonymous FTP:   ftp.ciac.org
                     (same machine -- either one will work)

This document was prepared as an account of work sponsored by an agency of the United States Government. Neither the United States Government nor the University of California nor any of their employees, makes any warranty, express or implied, or assumes any legal liability or responsibility for the accuracy, completeness, or usefulness of any information, apparatus, product, or process disclosed, or represents that its use would not infringe privately owned rights. Reference herein to any specific commercial products, process, or service by trade name, trademark, manufacturer, or otherwise, does not necessarily constitute or imply its endorsement, recommendation or favoring by the United States Government or the University of California. The views and opinions of authors expressed herein do not necessarily state or reflect those of the United States Government or the University of California, and shall not be used for advertising or product endorsement purposes.
[Privacy and Legal Notice]

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH