Aliases: I-Worm.Delf.a, W32/Shutface@MM, Win32.HLLM.Shutface.27136, Win32/Suit.A@mm, WORM_SHUTFACE.A
Variants: W32/Delf.HH, I-Worm/Delf.A, Worm Generic, Win32/Keco.G

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Aug 2006
Damage: Low

Characteristics: W32.Shufa@mm is a mass mailing worm that multiplies via Yahoo Messenger. It also tries to steal the password of the "Lineage" game.

More details about W32.Shufa@mm

The W32.Shufa@mm spreads by pretending as .exe files on the compromised PC. The pretended executable file has a damaged header that prevents the file from being opened. The original executable file is present in the attached data of the contaminated executable. When the worm is executed, it makes “%Windir%IEXPLORE1.exe”, “%System%fgb2ksudll.dll”, and “%System%up.exe”. To add up, “%Windir%” is a variable that refers to the Win installation folder. By default, it is “C:Windows” or “C:Winnt”. The worm adds the value "load" = "%Windir%IEXPLORE1.exe" to the registry key, so that it’s opened each time the Windows starts. The worm also ends the process of “EGHOST.EXE”, “MAILMON.EXE”, “KAVPFW.EXE”, and “IPARMOR.EXE”.

The worm links to “[http://]www.spr1t3.com/upda[REMOVED]” and verifies the latest version of itself. It tries to download a file from the URL, save it as “%System%up.exe” and run it. The W32.Shufa@mm program collects “Lineage” passwords and sends them to addresses at 163.com and nm.com. It also collects email addresses from files w/ txt, html, tml, and doc extensions. It utilizes its SMPT engine to spread itself to email addresses it locates. W32.Shufa@mm might show Chinese messages to Yahoo Instant Messenger windows it locates and push a “send”button to send the message. These Chinese message has the “[http://]tw.lineage.org.tw/photo/jpg1[REMOVED]” URL.