Aliases: I-Worm.Wormex
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 25 Jul 2003
Damage: Low

Characteristics: Early Bird is a mass-mailing worm. It uses emails to collect files from the compromised computer. The worm automatically sends itself to the email addresses it gathers from the files on an infected computer. Mostly, it gets all the contacts from the Microsoft Outlook Address Book. You may see an attachment containing.exe, .scr, or .zip file extension. It also alters local hosts file to prevent access to various websites.

More details about W32.Earlybird@mm

This worm usually affects Microsoft IIS, Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP Operating System platforms. If the host is running IIS or Apache, this worm attempts to set itself up in the root directory of the Web server. It browses for and infects files in the Kazaa and eDonkey download folder. The author created the worm in Delphi. Because of its backdoor capabilities, this worm automatically modifies system folders and continuously creates winstart.exe files. By doing it, the worm will regularly run when Windows starts. It patches itself to files with the extension .com, .bat, or .txt is run. Users may also check on “InetPub,”InetPub\wwwroot” and “Apache" folders. If these folders are already present in your system, the worm sets itself as the default browser page. This page contains infections named as index.html, lv.html, filesharingv.html and refreshv.html.

The W32.Earlybird@mm application is often acquired by unsuspecting users through e-mail. The installation script of the program is encrypted on the file attachment of the e-mail. The e-mail may also contain a message which convinces the user download and execute the attached application. The installation of the program is initiated when the user clicks on the provided download link. The installation procedure is done without the user's knowledge.