W32.Aliz.Worm


Aliases: I-Worm.Aliz, W32/Aliz.A, WORM_ALIZ.A, Win32.Aliz.4098, W32/Aliz@MM
Variants: Win32.Aliz, Aliz, TROJ_ALIZ.A, Win32/Aliz.A worm, Aliz.4096

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 22 May 2001
Damage: Low

Characteristics: Created using the Assembly Programming Language, the W32.Aliz.Worm is designed as a mass mailing Worm. Similar with most malware in this category, it harvests all email addresses stored in the Windows Address Book and uses them to spread its codes to other vulnerable systems.

More details about W32.Aliz.Worm

The W32.Aliz.Worm malware is considered by most computer security experts as dormant because its ability to replicate is limited to computer systems running under the Microsoft Windows 9X Operating System platform. The payload delivery system of this malware is enhanced by the presence of its own SMTP which allows it to send email messages without the user's knowledge. The W32.Aliz.Worm program's SMTP address is automatically received by the Internet Manager Account of the victimized computer system. Access to the Windows Address Book entries is also done using the keys found in the Windows Registry. In general, the W32.Aliz.Worm program makes use of a MIME exploit to deliver its payload and infect the target computer system.

The W32.Aliz.Worm program has a hard coded list of subject messages which it randomly chooses from and used to send spiked email messages to target computer systems. The subject line of the email message also makes it appear that it was received from another computer user and forwarded to the new recipient. This is presumably done to give the recipient a false sense of security by thinking that it has been opened by previous recipients. In some instances of infections, the malware was observed to create the file whatever.exe which carries a read only attribute.