Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Jun 2006
Damage: Medium

Characteristics: The W32.Sixem.A@mm program is a mass mailing worm that spreads email messages about the World Cup.

More details about W32.Sixem.A@mm

When the W32.Sixem.A@mm worm is opened, it duplicates itself as “%System%msctools.exe”. It makes the “Mutex dezas” so that only one example of the worm opens on the computer system. The worm adds the value "nsdevice" = "%System%msctools.exe" to the registry subkeys, so that it’s opened each time Windows begins. The worm adds the value "mls" = "0" to the registry subkey. The W32.Sixem.A@mm worm executes and downloads a file from “[http://]couplesexxx.com/tumbs/dianai[REMOVED]”, if the registry entry isn’t “install”. The worm store the downloaded file as “%Temp% emp[RANDOM].exe.”. It looks for files with the extensions such as “wab”, “adb”, “msg”, “dbx”, “mbx”, “mdx”, “eml”, “nch”, “txt”, “tbb”, “tbi”, “html”, “htm”, “xml”, “doc”, “rtf”, “msg”, “xls”, “sht”, and “oft” for e-mail addresses in the drive C.

The W32.Sixem.A@mm worm can be eliminated manually. To do this, you must first check your virus definitions if it is updated. You need to run a complete system scan and eliminate all the files it detected as W32.Sixem.A@mm. Erase or change the value that the worm added to your system registry. To remove the value from the system registry, click the “start” menu, and then go to “Run” (the Run box shows). Type “regedit” and then press the “OK” button (the registry editor shows). Go to the registry key. In the right pane, double-click each of these values "nsdevice" = "%System%\msctools.exe" or "mls" = "0" and change them as desired. After you have finished that, close the registry editor.