W32.Pimaf.Worm


Aliases: Win32/Pimaf.A!, I-Worm.Pimaf, Win32.Pimaf
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 10 Apr 2002
Damage: Low

Characteristics: W32.Pimaf.Worm was discovered on April 10, 2002. This type of worm is a PEBundle-packed, mass-mailing worm that uses Microsoft Outlook Express to send itself through its own SMTP engine. Since it uses Microsoft Outlook, the operating systems affected by this worm are Windows.

More details about W32.Pimaf.Worm

W32.Pimaf.Worm arrives as an email attachment. The characteristics in email brought by this worm are the following: “LOVE FOR ALL PEOPLE” as the subject and MyNewPics.PIF as the file attachment. Once the worm is executed, it displays the Image Viewer dialog box that says “The image date is corrupt, and the image cannot be displayed. You may want to obtain a fresh copy of the image and try again. If the user clicks OK, the worm begins its propagation. The worm produces copies of itself as MyNewPics.PIF under drive C:, Windows folder. Then, the worm drops See32.dll which is an UPX-packed file. Afterwards, the worm adds value -LOVE C:\Windows\MyNewPics.PIF to a particular system registry key. The worm finds for email addresses in the Microsoft Outlook Address Book, Inbox, Outbox and even Sent Items so that it would enable to send itself. The worm uses its own SMTP engine to send itself if there is no Msimn.exe available.

The W32.Pimaf.Worm program enters the system stealthily. The user may receive it from an e-mail or instant message. It may be labeled as an e-card or other video presentation. Once the user opens it, the malware application is automatically downloaded and added to the system. The infected file may also be uploaded on file sharing programs or download websites.