W32.Amend.A@mm


Aliases: W32/Amend.A
Variants: Worm.VB.AATF, Worm.Win32.VB.de, W32/YahLover.worm.gen, Win32.SuspectCrc, Win32/Xema.worm.37888.D

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 May 2007
Damage: Medium

Characteristics: The W32.Amend.A@mm malware belongs to a classification of mass mailing Worms with the ability of using removable storage devices as transport mechanisms. It makes use of the email client to send a copy of itself as a file attachment to unsuspecting recipients found in the computer user's contacts list.

More details about W32.Amend.A@mm

Like majority of mass mailing Worms, the W32.Amend.A@mm malware looks into the contents of the Windows Address Book and uses the list as recipients for the spreading of its codes. The email message may look innocent enough to prompt the receiver to believe that it is harmless. Normally, a message sent by the W32.Amend.A@mm Worm will have the subject line "I love lhw" or "My name is lhw" among others. The name of the file attachment however may be random to complicate the manner of detection. This Worm has been identified to use the System and Temp folders under the Windows directory as storage locations for its associated files. Some of the files identified with this malware include msconfig.exe, regedit.exe, regedit32.exe, and internat.exe among others.

The W32.Amend.A@mm malware allegedly drops a copy of its codes into removable storage devices using the Comand.com filename which is an attempt to mimic the legitimate command.com file of the Windows environment. This file is always accompanied by the autorun.inf file which is used to automatically execute the malware once the removable storage device is accessed by the computer user. The recipients of the spiked email message is prompted to execute the file attachment by including text like "Is this the file you want?" in the body of the message. Since the W32.Amend.A@mm Worm makes use of the infected computer user's account the recipient is further persuaded to believe that the message is authentic. The Messaging Application Protocol Interface is utilized for the sending of email messages.