W32/Wurmark.S is a mass mailing worm. This worm is a variant of W32/Wurmark. The worm will infect Windows systems and spreads through email.

The subject of the infected mail will be any one of the following;

Status
approved
Bad Request
corrected
Error
Administration
Thanks!
Thank you for delivery
Extended Mail
Extended Mail System
Failure
hello
important
improved
Encripted Mail
Delivery Server
Delivery Protection
Mail Authentification
Mail Server
Notify
patched
Protected Mail Delivery
Protected Mail Request
Protected Mail System
read it immediately
Secure delivery
Secure SMTP Message
SMTP Server

The body of the infected email will be any one of the following;

Your file is attached.
+++ Bitdefender AntiVirus - www.bitdefender.com
+++ Kaspersky AntiVirus - www.kaspersky.com
+++ MC-Afee AntiVirus - www.mcafee.com
++++ F-Secure AntiVirus - www.f-secure.com
++++ Norman AntiVirus - www.norman.com
++++ Norton AntiVirus - www.symantec.de
Authentication required.
Bad Gateway: The message has been attached.
Delivered message is attached.
Encrypted message is available.
+++ Attachment: No Virus found
Your requested mail has been attached.
ESMTP [Secure Mail System #334]: Secure message is attached.
+++ Panda AntiVirus - www.pandasoftware.com
+++ MessageLabs AntiVirus - www.messagelabs.com
First part of the secure mail is available.
Follow the instructions t read the message.
For further details see the attachment.
For more details see the attachment.
Forwarded message is available.
I have attached your document.
I have received your document. The corrected document is attached.
New message is available.
Now a new message is available.
Partial message is available. Waiting for a Response. Please read the attachment.
Please authenticate the secure message.
Please confirm my request.
Please confirm the document.
Please read the attached file!
Please read the attached file!
Please read the attachment t get the message.
Please read the document.
Please read the important document.
Please see the attached file for details.
Protected Mail System Test.
Protected message is attached.
Protected message is available.
Requested file.
Secure Mail System Beta Test.
See the file.
SMTP: Please confirm the attached message.
Waiting for authentification.
You got a new message.
You have received an extended message. Please read the instructions.
Your details.
Your document is attached t this mail.
Your document is attached.
Your document.

The infected email carries any one of the following attachment;

msg.zip
details.zip
document.zip
message.zip
readme.zip
data.zip

The above-mentioned files contains the following double extension files;

Document.txt[blank spaces].exe
Readme.txt[blank spaces].exe
Delails.doc[blank spaces].exe
Data.txt[blank spaces].exe

Upon execution of the infected attachment the worm copies itself as lsess.exe in the Windows System folder.

The worm modifies registry at the following location to load itself during each startup;

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run

To propagate itself, the worm scans the files having the following extensions and collects all the available email addresses from the infected system;

xml, cgi, dbx, dhtm, eml, htm, jsp, mbx, mdx, cfg, mht, mmf, msg, nch, doc, ods, oft, php, ppt, rtf, sht, shtm, stm, tbb, txt, uin, vbs, wab, wsh and xls.

The worm emails itself to these addresses using its own SMTP engine.

It also tries to terminate some of the security related processes

This worm first appeared on October 1st, 2005.

 Other names of W32/Wurmark.S Worm:

This Worm is also known as WORM_WURMARK.S.