W32.Redzed@mm


Aliases: I-Worm.Ganter.c, W32/Gant.gen@MM, I-Worm/Outsider, Win32.Thaprog.C, WORM_REDZED.A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 11 Jun 2003
Damage: Medium

Characteristics: W32.Redzed@mm is a mass-mailing worm. It affects Windows systems. It has password-stealing capabilities. The email uses variable subject lines and attachment names that are chosen from a hard-code list. The attachment will have either a .exe or a .pif file extension. It also spreads through various file-sharing networks.

More details about W32.Redzed@mm

W32.Redzed@mm arrives in the computer as an email. This worm affects all Windows systems. Once it infects a computer, it may steal passwords which it sends to a hotmail account. It uses different subject lines and attachment names. Some of the subjects include: MP3 downloader, Modem booster, Fire ScreenSaver, Program, Password List, and Some card games. Attachments include Card_install.pif, MP3Connect.pif, ModemBooster.exe, FireScreen.pif, Winprg32.pif, and PswdLst.pif. When W32.Redzed@mm is run, it creates the files: Card_install.pif, Mslg32.exe, and Winlg32.exe. It modifies the registry to make sure it loads every Windows start up. It searches for subfolders in the Program Files folder and creates copies of itself. It then sends itself to all the contacts in the Windows Address Book. In addition, it sends all the cached passwords to the hotmail account, Zed_rRlf@hotmail.com.

The worm W32.Redzed@mm can be removed from an infected computer manually. The W32.Redzed@mm program bypasses the usual installation procedures. It does not display a EULA (End User License Agreement) that should contain details regarding the installation of the program. This agreement is usually presented before a program is installed. The application may not appear on the Add/Remove Programs panel on the computer. This makes the application difficult to remove.