Fandom

Malware Wiki

Amus

1,345pages on
this wiki
Add New Page
Comments0 Share


Email-Worm.Win32.Amus or Amus is an Internet worm that spreads in email attachments.

Details

Amus is a Windows PE exe file, written in Visual Basic and packed by Yoda. The compressed file size is about 50 KB. Amus is activated only if users double click on the attachment.

Installation

After being launched, Amus creates a unique identifier named Masum and attempts to activate ISpeechVoice.Speak (aka Microsoft Sam) and play the following soundtrack:

How are you. I am back. My name is mister hamsi. I am seeing you. Haaaaaaaa. You must come to turkiye.
I am cleaning your computer. 5. 4. 3. 2. 1. 0. Gule. Gule.

Amus then copies itself into the root directory of the C drive under the name masum.exe and into the Windows folder under the following names:

  • Adapazari.exe
  • Ankara.exe
  • Anti_Virus.exe
  • Cekirge.exe
  • KdzEregli.exe
  • Messenger.exe
  • Meydanbasi.exe
  • My_Pictures.exe
  • Pide.exe
  • Pire.exe

The worm registers the file KdzEregli.exe in the following Windows auto run system registry key:

[HKLM\Software\Microsoft\Windows\CurrentVersion\Run]

 "Microzoft_Ofiz"="%WINDIR%\KdzEregli.exe"

Moreover, Amus creates the following system registry key:

[HKCU\SOFTWARE\Microsoft\Masum\Who]

 "Who"="OnEmLi_DeGiL"

Email

Amus uses MS Outlook to send copies of itself to all recipients listed in the address book.

Subject : Listen and Smile
Attachment name : Masum.exe
Hey. I beg your pardon. You must listen.

Amus does not spoof sender addresses and uses the real address of the infected machine.


Other

Amus is programmed to replace the home page URL in Internet Explorer on the 1, 6, 20 and 25 of each month with the following text:

Konneting du pepil and dizkoneting you. Anlami: Baglansan ne olacak, baglanmasan ne olacak. Zaten hatlar burada rezalet.

On the 2, 15 and 17 of each month, Amus will attempt to delete all .ini files in the Windows folder. While on the 10 and 23 of each month, the worm will attempt to delete all .dll files in the Windows folder.

Videos

Email-Worm.Win3202:52

Email-Worm.Win32.Amus-0

Email-Worm.Win32.Amus by Alles

Email-Worm.Win3202:05

Email-Worm.Win32.Amus

Email-Worm.Win32.Amus by danooct1

Sources

Securelist (Kaspersky Labs), Email-Worm.Win32.Amus.a

Ad blocker interference detected!


Wikia is a free-to-use site that makes money from advertising. We have a modified experience for viewers using ad blockers

Wikia is not accessible if you’ve made further modifications. Remove the custom ad blocker rule(s) and the page will load as expected.