Aliases: W32.Pops@mm
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 16 Jan 2002
Damage: Low

Characteristics: W32.Pops was discovered on January 16, 2002, . This is a Microsoft Outlook worm that attempts to send itself to all email addresses listed in the Microsoft Outlook address book. This worm has two variants, namely Variant A and Variant B. Variant A is 5 KB in size, while variant B is about 7 KB in size. These two variants are upx packed. Since it is a Microsoft Outlook worm, it mostly affects Windows operating systems.

More details about W32.Pops

Also known as W32.Pops@mm, if this worm is executed, variants A and B begin to perform their assigned task. Variant A is responsible in sending itself to all email addresses in the Microsoft Outlook address book. The mail has the following characteristics: “cute worm” as the subject, “the attached file is compressed picture of a worm..click it” as the body message and Worm.com is the file attachment. Variant B attempts to produce a copy of itself when the worm is executed. The following files are copied: Startup.com, Sex.com, Janis.com and Betlog.bin. Afterwards, the worm adds few values to the system registry keys then it attempts to send itself to all email addresses using a malicious message.

This W32.Pops program is known for creating a backdoor on the affected system. This backdoor allows an unauthorized user to gain access and take partial control of the affected computer. The program waits for commands from the remote user through an open port. Some changes are made by this program on the machine. Reports indicate that the program injects codes on the exlorere.exe file. This enables the program to hide its activities on the user’s computer. The application starts up each time the system is opened. It stays resident on the affected computer.