Aliases: w32.ajm, worm_bihup.a
Variants: W32/Bihup.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: North and South America
Removal: Easy
Platform: W32
Discovered: 02 Aug 2002
Damage: Low

Characteristics: Classified as a mass mailing Worn, it scans addresses from unread email messages. The W32.AJM.Worm creates an email message with both the subject and the body written in the Korean language. It also includes the attachments Heddink.exe, Go Korea.exe, RedDevil.exe, WorldCup.exe, and 2002.exe in the email.

More details about W32.AJM.Worm

Normally, mass mailing Worm variants target the contents of the Windows Address Book in order to harvest stored email addresses. In the case of the W32.AJM.Worm, it accomplishes this by extracting the User32Rem.exe, UserGDL.exe, BihUpdate.exe, SysRtw32.exe, Win32Dll.exe, MsCrt32.exe, and Temp32.exe into the System folder of the Windows directory. A corresponding key which points to the location of these files are included in the Windows Registry in order to allow the W32.AJM.Worm to load on system boot up. What has been consistently observed is that every email sent by the W32.AJM.Worm seems to contain the text "G0 Go 2002 World Cup Corea ! !" in its message body. The email message is likewise accompanied by a file attachment that usually has an EXE file extension. In some instances, the file extension may be masked by placing the payload behind an image file.

It has also been observed that the W32.AJM.Worm may vary its message depending on the month and day of the week. The date July 7th seems to hold a special meaning for the malware wherein it disrupts the behavior of the cursor by resetting its position. The same goes with the date January 1st wherein the cursor is confined in a specific rectangular area of the computer screen. Removing the W32.AJM.Worm malware manually may involve deleting all files extracted into the system.