W32.Shoes@mm


Aliases: Shoes, W32.Shoes@mm
Variants: Win32/Shoes.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 01 Jun 2004
Damage: Low

Characteristics: The W32.Shoes@mm program is a mailing worm that spreads itself to contacts in the address book of Microsoft Outlook. It also changes the Internet Explorer startup page.

More details about W32.Shoes@mm

When the W32.Shoes@mm program is opened, it makes duplicates of itself as “%Program Files%CatalougeAdidas Catalouge 2004.exe”, “%System%Adidas.Worm.exe”, and “%Program Files%WindowsUpdatedrivers2.xml.exe”. %ProgramFiles% is a variable that refers to the location of the program files. By default, it is “C:Program Files”. The W32.Shoes@mm program searches for the system folder and duplicates itself to that same location. Such locations are not dependent on system variables and are hard coded. The worm adds the value "" = "" to the registry key, so that the W32.Shoes@mm opens when the Windows is started. The worm sends an email to every contact address in the address book of the Microsoft Outlook. The W32.Shoes@mm program modifies the Internet Explorer startup page to a set Web page.

The program has downloading capabilities. It downloads additional files on the computer. The files are often retrieved by the W32.Shoes@mm worm application from remote servers on the Internet. The program is often used by other malware applications to download components from the World Wide Web. These malware programs include Remote Access Tools (RATs), keyloggers, monitoring software, worms and adware applications. The additional components downloaded by the application may include rootkit programs and data mining tools.