W32.Wabbin


Aliases: WORM_CARD.A, W32/Wabbin@mm, Email-Worm.Win32.Wabbin, I-Worm.Wabbin, W32/Wabbin@MM
Variants: W32.Wabbin, Win32.HLLM.Generic.71, W32/Wabbin-A, Win32/Wabbin.A@mm, WORM_WABBIN.A

Classification: Malware
Category: Trojan Horse

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 12 Jul 2002
Damage: Low

Characteristics: The W32.Wabbin program is a Trojan horse. It sends a link to addresses in Microsoft Outlook Address Book. The email message contains the name of the recipient along with text, which recommends that an electronic greeting card has been made for the recipient. Systems affected by this program are Windows 2000, Windows 98, Windows Me, Windows XP, Windows 95, and Windows NT.

More details about W32.Wabbin

W32.Wabbin is a mass mailing worm that sends an e-mail message to addresses found in the Microsoft Outlook Address book. The e-mail messages don’t include a file attachment or a viral script, but instead, a URL which points to a web site that holds the executable responsible for the sending of the mail. This web site was removed quickly after the discovery of this program. W32.Wabbin doesn’t pose a threat. However, a few reports of this Trojan horse from the field, and the e-mail messages in question can continue to go on briefly. The messages sent says “this is a funny greeting card”, “you should enjoy this funny greeting card” or “I thought you would enjoy this greeting card” and the body of the message goes something like this, “This card made me laugh, you would enjoy it”, “Check out this fun greeting card I found, it's hilarious” or “This card made my day happy. I hope you enjoy it”. After the message, a URL is also displayed which contains executable file for the mass mailing.

W32.Wabbin has the ability to change your default start-page of the Internet Explorer and also accesses one of six URLs that belong to numerous popular electronic greeting card web sites. The target web pages on these card web sites don’t contain any malicious code. This worm doesn’t copy itself to additional folders on your system. It doesn’t configure itself to run at startup. Infected users can notice messages that are unusual in their SENT ITEMS mailbox folder. The key used by the worm doesn’t send messages to the same user more than once.