W32.Marque.Worm


Aliases: W32/Marque.worm, W32.Marque@mm, W32/Marq-A, I-Worm.Voltan, Win32/Marq.A
Variants: Email-Worm.Win32.Voltan, Win32.HLLM.Marquee, WORM_LEGZI., Trojan.Dropper.Karn, W32/Gizel.A.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, Australia, North America
Removal: Easy
Platform: W32
Discovered: 24 Oct 2003
Damage: Low

Characteristics: The W32.Marque.Worm is designed by its malicious author with the functionality of having its own Simple Mail Transfer Protocol engine to make it possible to send email messages discretely. This malware makes use of this functionality to send HTML format messages to all the contacts that it finds stored in the Windows Address Book of the infected computer system. The message body includes a link to a particular dangerous website that downloads malicious contents.

More details about W32.Marque.Worm

A successful execution of this threat in a compromised computer system will lead to the harvesting of the contents of the Windows Registry. The W32.Marque.Worm will use the Windows Registry to retrieve the default electronic mailing account in the infected computer system. This routine will also reveal the email address of the user's account. The W32.Marque.Worm will search for the Windows Address Book file and proceed to harvest all of its entries. The contacts become potential targets for the spreading of the malware's codes. The W32.Marque.Worm will continue to utilize the Windows Registry to create a corresponding key value entry for itself. After completing its Windows Registry entry the W32.Marque.Worm will download and execute an HTML format file from a predetermined website.

The W32.Marque.Worm will make use of its built-in Simple Mail Transfer Protocol engine to send its HTML format message to all the harvested email addresses from the Windows Address Book file. The W32.Marque.Worm makes use of a fixed subject line and message body that is written in the Spanish language. A link to a malicious website is provided in the message body which when clicked will display a message to the computer screen. The W32.Marque.Worm will then proceed to download and execute a copy of itself in the host machine. The downloaded file would normally carry an SCR file extension.