Aliases: W32/Higuy-A, W32/Higuy@MM, WORM_HIGUY.A, win32.frantes.a, worm_porkis.a
Variants: troj/dloader-ym, win32.tattona.a@mm, w32/porkis-a, w32.storiel@mm, w32.atram@mm

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North America, South America, Europe, Asia, Africa, Australia
Removal: Easy
Platform: W32
Discovered: 14 Jun 2002
Damage: Low

Characteristics: The W32.Higuy@mm like typical mass mailing Worms is capable of harvesting information stored in the Windows Address Book. It makes use of the Simple Mail Transfer Protocol to send its codes to all the email addresses it has collected from the compromised machine. Consistent with the characteristics of these types of threats, it also includes an executable file attachment which the recipient must execute to being the Worm's infection routine.

More details about W32.Higuy@mm

After successfully entering a vulnerable computer system, the W32.Higuy@mm will attempt to extract a copy of itself using an EXE file extension. The infected machine will also experience the display of a message box using the word Error as its title. This message box will inform the unsuspecting computer user that there is a problem with a specific Dynamic Link Library file on the computer system. The message of course is bogus and generated mainly by the W32.Higuy@mm to hide its background operation of modifying the Windows Registry keys as well as harvesting email addresses from the Windows Address Book. The W32.Higuy@mm will use its built-in Simple Mail Transfer Protocol engine to send out the spiked email messages to all contacts it has retrieved.

The subject line of the email message sent by the W32.Higuy@mm normally contains the word Incredible, Incredibile, Qualsiasi, or Urgente. The message body itself is designed in such a way that it will convince the recipient to launch the accompanying executable file attachment to infect the computer system. The W32.Higuy@mm may takeover the user's account to give the sent email message an air of authenticity. The W32.Higuy@mm has been closely linked to the use of TCP port 5001 during the execution of an unsecured backdoor on the compromised machine. The backdoor feature is an alternative to the fake message display.