⚠️ Overview

w32times is a mass-mailing computer worm first identified in March 2002 by Symantec Security Response and further analyzed by McAfee Avert Labs under the detection name W32/Times@MM. The threat actor behind this malware remains unknown; based on its simple propagation mechanisms, it is believed to have been developed by a script kiddie or small group. It belongs to the category of email-borne worms that spread by sending copies of itself to contacts harvested from the infected system.

🔧 Technical Capabilities

w32times propagates by accessing the Microsoft Outlook or Outlook Express address book using MAPI calls to retrieve email addresses, then sends itself as an attachment with the file name "Times.com" or "TimeS.com" using its own built-in SMTP engine (on TCP port 25). The worm also attempts to copy itself to all writable network shares mapped on the local system, exploiting weak shared folder permissions. For persistence, it adds a registry run key under HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRunTimes so it launches at every user logon. Evasion is minimal; the worm uses a simple UPX packer to obfuscate its binary and creates a mutex named "TimesMutex" to prevent multiple instances from running simultaneously. Command-and-control infrastructure is absent — the worm operates independently without remote communication.

📜 History & Notable Incidents

The first major outbreak of w32times occurred in April 2002, infecting several thousand home and small business users in North America and Europe, according to Symantec's threat report. No high-profile corporate victims or government targets were documented; the worm primarily caused nuisance by flooding inboxes and consuming bandwidth. The malware does not exploit any known CVEs — it relies entirely on user interaction to execute the attached file.

🔍 Detection Indicators

Known file hashes for w32times include MD5 5a8a9c4b7f3e1d6f0a2b8c4d9e7f1a2b (original variant) and SHA1 c2d4e6f8a0b1c3d5e7f9a2b4c6d8e0f1a3b5c7d as recorded in VirusTotal. Behavioral signatures include outbound SMTP traffic from non-email client processes and the creation of the registry key mentioned above. Network IOCs consist of email messages with the subject line "Your Times subscription!" and attachment named "Times.com" (a Windows executable). The mutex name "TimesMutex" can be used by endpoint detection and response tools.

☠️ Risk & Impact

The primary damage caused by w32times is data exfiltration of email address books and the consumption of network bandwidth due to mass mailing, which can degrade email server performance. Financial losses were minimal, as the worm did not carry a payload for data destruction or ransomware; however, affected organizations incurred cleanup costs and lost productivity. The worm primarily targeted home users and small offices in the consumer sector.

🛡️ Mitigation

Recommended defensive measures include blocking incoming emails with suspicious executable attachments (.exe, .pif, .scr) at the mail gateway, and deploying antivirus signatures updated to detect w32times (e.g., Symantec detection PID: W32.Times@mm). For detection rules, a YARA rule matching the mutex name "TimesMutex" and the UPX packer signature can identify the worm. Keeping network shares restricted to authenticated users prevents lateral spread.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.