[email protected]

Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Virus

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 24 Jan 2003
Damage: N/A

Characteristics: [email protected] is a polymorphic file infector. It appends its viral body to Windows Portable Executable (PE) files. It infects files with the .exe extension if the files are located in the Windows installation folder. It is also a mass-mailing worm. It uses Microsoft Outlook to send an infected file to the first 870 contacts in the Outlook Address Book.

More details about [email protected]

The worm [email protected] sends an email with an attachment file named Funnystuff.avi.exe. Once executed, [email protected] randomly chooses some Windows Portable Executable (PE) files with the extension .exe. It searches for these files in the Windows installation folder and its subfolders. It then appends its viral code to the host files it finds. The size of the infected file increases by 12,288 bytes. The infected file will have an extra section named Charchl. It also infects the file Notepad.exe and copies the infected file as Funnystuff.avi.exe. The file is 65,536 bytes in length. Finally, it creates a Visual Basic Script file named gvPdXyTdc.vbs. Using this script file, it sends the file funnystuff.avi.exe to the first 870 contacts in the Outlook Address Book. It is sent as an attachment in the email.

The [email protected] application waits for an Internet connection on the computer. The program then accesses a remote server once a connection to the Internet has been established. It downloads numerous files and programs that are stealthily installed on the user’s machine. These may consist of worms, viruses, BHOs (Browser Helper Objects), spyware and adware programs. The presence of these applications lowers the system’s security. They may also take up most of the computer’s local disk space.