W32.Zoher@mm


Aliases: I-Worm.Zoher, I-Worm.Zoher, Scherzo, Sheer, W32.Zoher@mm, W32/Sheer.A-mm
Variants: W32/Zoher, I-Worm/Zoher, WORM_ZOHER, W32/Zoher@mm, Zoher Internet Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 24 Dec 2001
Damage: Low

Characteristics: The W32.Zoher@mm program is a worm that arrives as an Italian email message with an executable file attachment. The W32.Zoher@mm worm attempts to execute itself and exploits Microsoft Outlook and Outlook Express vulnerability once the email message is opened or previewed.

More details about W32.Zoher@mm

The W32.Zoher@mm is a worm that distributes itself through email. It comes as a forwarded message with a body and a subject in Italian, and comes with an executable file. Once the mail is opened or previewed in the window pane, the W32.Zoher@mm worm automatically runs itself and exploits the Microsoft Outlook, and Outlook Express vulnerability. The W32.Zoher@mm worm tries to spread its copies in the infected machine’s local network. It then sends itself out to all addresses in the address book using the SMTP mail server address that is stored in the system registry. The program is also made to download a text file from a specific malicious site which it uses to write the subject and message text of the e-mails it sends.

Once the W32.Zoher@mm worm is executed, it immediately sends itself to everyone in the Microsoft Windows address book. The W32.Zoher@mm worm comes as a forwarded message having a subject of “Fw: Scherzo!” and a very long Italian message body and an executable file called “Javascript.exe.” On some systems, the executable file contained in the email is able to self-launch. This worm however does not install itself in the system, so cleaning up the infection is easy. Simply run a full system scan using the latest update of the infected computer’s security software, and delete all files that are detected as W32.Zoher@mm.