Aliases: Bloodhound.W32.5
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Hard
Platform: W32
Discovered: 12 Sep 2003
Damage: Medium

Characteristics: W32.Patoo@mm was discovered on September 12, 2003. This worm is a mass-mailing worm that tries to use Microsoft Outlook to email itself to all email addresses in the Microsoft Outlook Address Book. It is also known as Bloodhound.W32.5. It mostly affects Windows operating systems, namely Windows 2000, 95, 98, Me and NT.

More details about W32.Patoo@mm

This mass-mailing worm was written in Microsoft Visual Basic. Once the worm is executed, it produces a copy of itself as C:\Windows\Msngrblock.exe and C:\Program Files\Kazaa\My Shared Folder\MSN Ad Blocker.exe. Then, the worm adds the value "Messenger Block"="C:\windows\msngrblock.exe" to the system registry keys. This would enable the worm to run everytime the Windows starts. Next, it sends itself to all contacts listed in the Address Book using the Microsoft Outlook. The worm has the subject “hey...” and the file attachment “Stop Messenger Popups”. Take note that the file attachment is the original filename of the worm. It adds another value "(Default)"="C:\windows\msngrblock.exe %1" to several specified system registry keys. Then, it drops a text file C:\go0.txt which contains a text. And lastly, the worm attempts to delete all files in the %System% folder. Furthermore, once the worm is send to the email addresses, there is a tendency that the file attachment will be opened by the user and the worm spreads to that computer.

The W32.Patoo@mm application uses the affected system’s Internet connection to download files and programs. These files and programs are executed on the user’s computer stealthily. The programs may consist of adware and spyware applications, illicit codes, worm programs and RATs (Remote Access Tools). These downloaded files perform unwanted activities on the user’s machine. Some of these programs are capable of getting information regarding the affected computer. This includes information, such as the operating system, RAM (Random Access Memory) and the IP (Internet Protocol) address. The user’s PII (Personally Identifiable Information may also be transmitted to third parties. This may result in illicit activities.