W32.Barten@mm


Aliases: W32/Barten@mm
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Fast
Geographical info: South America, Europe, USA, some parts of Asia
Removal: Easy
Platform: W32
Discovered: 06 Feb 2008
Damage: Low

Characteristics: The W32.Barten@mm malware is a mass mailing worm capable of propagating via the Microsoft Messenger and email.

More details about W32.Barten@mm

The W32.Barten@mm worm has been identified as an undesirable application that should never be left running on the computer simply because its execution means the execution of other misleading, harmful, or undesirable programs. When the W32.Barten@mm worm is run in the compromised system, it will create the file C:\ Windows\ System\ rmsx.exe. The worm will then alter the registry entry by adding a certain value so that it can execute upon Windows startup. This worm also utilizes the msmsgs.exe-embedded command so that the Windows Messenger will run silently in the system background. Next, the security risk will contact a host of email addresses via SMTP. These email addresses include vac78768@terra.com.br, junrr678fb@terra.com.br, bernitito343@terra.com.br, marimarr4232@terra.com.br, genufill32323@terra.com.br, herdted8667@terra.com.br, junrr621@terra.com.br, felizbiz45667ma@terra.com.br, candelala23@terra.com.br, barlotado@terra.com.br, and barata111@terra.com.br.

The W32.Barten@mm worm has been observed to send a variation of a Portuguese message via Instant Message to all obtained contacts found in the Microsoft Messenger’s address book. This Portuguese message also has the website http:// www.interim.co.kr/bbs/data/__zbSessionTMP/vide[REMOVED]. When the recipient of the message goes to this website, the worm may drop another copy of its code plus a code of another security risk to the infected machine.