!8b1f20b9, Generic Dropper.p!925a4a25cfa5, Win32.Outbreak!IK, Trj/Buzus.AH
Trojan.Vundo, For Love or Money—Social Engineering by [email protected]
Category: Computer Worm
Active & Spreading
Asia, Europe, North and South America
25 Feb 2009
The [email protected]
malware belongs to a mass mailing Worm variant. When introduced into a vulnerable system, it attempts to harvest email addresses stored in the machine. These email addresses are used to target other computer systems and networks. To spread its payload, it takes advantage of shared folders and removable devices.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
worm functions by spreading spam email messages and disabling any active security applications in the vulnerable machine. The action is presumably done in order to further lower security of the compromised machine. The email messages containing this threat may contain various text like "Job Offer from Coca Cola", "You received a Hallmark E-Card", and "Thank You for your application" among others. The spam email may include an attachment named postcard.pdf.exe which when clicked may display animal cartoon images on the computer screen. In the background, the [email protected]
malware generates a copy of itself in the System folder using the javale.exe filename. It may also use the javame1.1.exe and javawx.exe filenames along with other randomly named DLL files. The malware likewise modifies certain registry key entries in order to gain the ability to load on system startup.
The Windows Registry is also used to inject its codes into the Internet Explorer browser. Controlling the Web browser allows it to automatically connect to http://whatismyip.com/automation/n09230945.asp address in order to detect the IP address used by the compromised machine. It then attempts to connect to a predetermined website in order to download other Trojans and worms into the infected machine. The worm [email protected]
simultaneously begins spreading itself using the entries found in the Windows Address Book. The severity and complexity of the infection caused by this malware makes manual removal difficult and may require the use of dependable antivirus applications with updated engine and database files.