W32.Badass.24576


Aliases: Troj_Crazy, Badass.Worm, I-worm.Badass, Email-Worm.Win32.BadAss
Variants: W32/Badass@MM, W32.Badass.24576, Win32.HLLW.BadAss.24576, W32/Badass, Win32/BadAss@mm, WORM_BADASS.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 13 Oct 1999
Damage: Low

Characteristics: The W32.Badass.24576 is an email worm capable of spreading to the Internet thru the MS Outlook application. The worm is a Windows executable file that is created using the Microsoft Visual Basic programming language.

More details about W32.Badass.24576

The email worm W32.Badass.24576 is allegedly based on the popular macro-virus worm Melissa. The worm’s sequence instructions and functions are very similar to the source code of Melissa. The 2 worms both mark their activation in the Windows Registry. The marker for the W32.Badass.24576 worm is HK_CurrentUser\ SoftWare\ VB and VBA Program Settings\ Windows\ CurrentVersion with the CMCTL32 value. It is important to note that if the worm’s marker is present in the machine, the worm’s payload is not launched. Every time that the worm is run, it will display a pop-up vulgar message that says “An error has occurred probably because your c**t smells bad. Is this really so?”. Upon clicking the YES option, the worm will then display the message “Contact your local supermarket for toiletpaper and soap to solve this problem.”

The worm W32.Badass.24576 can spread through the Internet in email messages that contain an infected attachment. This attachment has the filename BADASS.EXE. It can however be renamed manually so it can also spread under other names. When a user receives an infected attachment and opens it, the worm will take control and will carry out its primary payload. The payload involves the display of messages and the opening of the MS Outlook contacts database so that it can acquire email addresses. The worm will then send infected attachments to all the acquired email addresses. The subject of the email is “Moguh..” with the message being “Dit is wel grappig! J”.