W32.Sponge@mm


Aliases: I-Worm.Sponbob, W32/Sponge@MM, Win32.HLLM.Generic.33, W32/Alcaul-AC, Win32/Sponge.A@mm,
Variants: WORM_SPONGE.A, W32/Sponge.A.1, W32/Sponge.A@mm, Win32:SpongeBob, I-Worm/Sponge,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 30 Oct 2002
Damage: Low

Characteristics: The W32.Sponge@mm application is a mass mailing worm that utilizes Microsoft Outlook to multiply itself to all contacts in the address book of Microsoft Outlook.

More details about W32.Sponge@mm

The W32.Sponge@mm program is a mass mailing worm that utilizes Microsoft Outlook to spread itself to all contacts in the address book of the Microsoft Outlook. The email has the subject “Spongebob Wallpaper” and attachment “Spongy.exe”. The W32.Sponge@mm overwrites .pif and .scr files in all folders apart from the root folder. The worm adds code to the end of .htm files in all folders aside from the root folder. The W32.Sponge@mm has a universal component that is utilized to contaminate MS Word files and the global template “Normal.dot”. The worm is detected as “W97M.Sponge”. It is written in the Microsoft VB programming language and compressed making use of UPX.

When the W32.Sponge@mm worm runs, it creates 2 hidden subfolders which is “C:\%windir%Kn0x3” and “C:Explore”. Then the worm duplicates itself as “C:\%windir%kn0xace1.com”, “C:ExploreHelp.exe”, “C:Porno.scr”, “C:Jokes.pif”, “C:SpongeBob_Game.exe”, “C:SpongeBob.scr”, and “C:SpongeBob.com”. The characteristics of the files SpongeBob_Game.exe, Jokes.pif, SpongeBob.com, and SpongeBob.scr and are modified to hidden and read-only. It makes “C:SpongeBob.eml”. This is an e-mail file that contain the worm as it attachment. It changes all .pif and .scr files in all folders apart from the root folder. It adds code to all “.htm” files in all folders apart from the root folder. The code is intended to open the worm from the contaminated files, but it can’t do so since a threat in the code.