W32.Ahlem.A@mm


Aliases: W32/Melare@MM, Worm/Melare, Win32/Melare.A@mm, WORM_MELARE.A, Win32/Melare.A
Variants: Email-Worm.Win32.Melare, I-Worm.Melare, W32/Melare@MM, Win32.HLLM.Generic.88, W32/Melare-A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 19 May 2003
Damage: Low

Characteristics: The mass mailing Worm W32.Ahlem.A@mm harvests the contents of the Windows Address Book to send spam messages. The emails normally contain the subject "Alert! SARS is being spread". The message body prompts the user to launch the a.exe attachment file which will launch the malware into the attacked system.

More details about W32.Ahlem.A@mm

The W32.Ahlem.A@mm malware like most Worm variants requires the recipient of the spiked email message to click on the attachment file to activate its payload. To further its deception, the executable file is hidden behind a JPG format image file in an attempt to fool the recipient that the attachment is a harmless picture. When the picture is opened, the executable file is launched and the infection is initiated in the target computer system. The csrss.exe file is extracted into the Windows directory and a relevant key is generated in the Windows Registry. The key allows the W32.Ahlem.A@mm Worm to launch automatically at every reboot or startup instance of the machine.

An additional payload that has been identified with this particular malware is the possibility of deleting files using the OCX, NLS, and DLL file extensions. These files normally reside under the Windows directory where the main executable of the malware is also stored. The process of deleting the files was observed to occur monthly during the 1st, 4th, 8th, 12th, 16th, 20th, 24th and 28th. To manually remove the W32.Ahlem.A@mm malware, the system has to run in Safe Mode. The Registry Editor must be used to remove the keys it added to prevent automatic loading on startup. The other files associated with this malware must also be deleted under this mode. Check the MSCOFIG startup tab to make sure there are no other startup entries. Once all remnants of the malware are removed, the system can be restarted normally.