Aliases: I-Worm.Antiman.D1, Email-Worm.Win32.Antiman.c, W32/Antiman-D, Win32/Antiman.worm.44544, W32/Generic.Delphi.c
Variants: not-a-virus:AdWare.Win32.AdMoke, Email-Worm.Win32.Antiman, WORM_ANTIMAN, W32/Antiman@MM

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Europe, North America
Removal: Hard
Platform: W32
Discovered: 25 Apr 2005
Damage: Low

Characteristics: The W32.Antiman.A@mm malware is equipped with a Simple Mail Transfer Protocol engine allowing it to freely send email messages to addresses harvested from the infected machine. As a mass mailing Worm, its payload delivery requires the recipient to launch its attached file. This is done via misleading email message contents.

More details about W32.Antiman.A@mm

As a mass mailing Worm, the W32.Antiman.A@mm program normally arrives at a targeted computer system as a seemingly innocent file attachment. When launched, it extracts the file funny.scr into the Windows directory. A certain Windows Registry key is searched to install an instance of its main executable file. This causes the malware to automatically load at every startup or reboot process. Another file named startwin.exe is placed by the W32.Antiman.A@mm program into the Startup subfolder of the user's account. Another file called m.txt is placed in the root directory of the main hard drive. The keys SCRNSAVE.EXE and ScreenSaveTimeOut are added into the system's Windows Registry key. Email addresses are retrieved by the W32.Antiman.A@mm program from the email's outbox, inbox, and deleted items folders of Microsoft Outlook. The log files of the Yahoo! Instant Messenger client is also inspected by this malware to gather more email addresses to target.

The W32.Antiman.A@mm malware's own SMTP engine coordinates with the SMTP server of the hijacked machine to make sure that all email messages are successfully sent to their intended recipients. The W32.Antiman.A@mm malware chooses from a predefined set of subject lines, message body, and file attachment names when attempting to send out email messages to the harvested email addresses. The file attachments may have one or more file extensions. Regardless of the number of file extensions used, EXE will always be the last extension of the file attachment.