Aliases: W32/Mertian.worm, W32.Mertian@mm
Variants: W32/Gaobot.CS, W32/Gaobot.CR

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: South America, Europe, Asia
Removal: Hard
Platform: W32
Discovered: 11 Dec 2003
Damage: Low

Characteristics: The W32.Mertian.Worm is a type of network aware Worm which is capable of sending a copy of its codes to shared network drives that do not have password protection. It will attempt to make use of the Messaging Application Programming Interface module of the operating system to send its codes to remote computer systems. The subject line of the email message has been identified to contain the text string "want to see my new pic".

More details about W32.Mertian.Worm

A number of executable files will be dropped by the W32.Mertian.Worm into different locations of the hard drive during its first execution. According to some computer security experts, the file components of this malware can be found in the Recycle Bin folder, the root directory of the main drive, and the directory folder of the operating system. Majority of the filenames will mimic legitimate processes. The W32.Mertian.Worm will modify the Windows Registry in order to be loaded at every reboot or startup process of the infected computer system. The W32.Mertian.Worm will launch the word processing application of the host operating system and simultaneously begin placing a copy of itself in network shares. It will modify the contents of the batch file of the operating system.

The Messaging Application Programming Interface will be used to send the Worm to various email addresses that may have been gathered from the infected computer system. The file attachment used by the W32.Mertian.Worm is identified by its double file extension which is a combination of the DOC and the EXE formats. The W32.Mertian.Worm will attempt to disable the main input devices of the host machine as well as launch the Control Panel applet of the operating system. All DOC format files will be overwritten with their file extension changed to the DOC.EXE combination.