[email protected]

Aliases: W32/[email protected]!8b1f20b9, Generic Dropper.p!925a4a25cfa5, Win32.Outbreak!IK, Trj/Buzus.AH
Variants: Trojan.Vundo, For Love or Money—Social Engineering by [email protected], Trojan.Awax

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, Europe, North and South America
Removal: Hard
Platform: W32
Discovered: 25 Feb 2009
Damage: Medium

Characteristics: The [email protected] malware belongs to a mass mailing Worm variant. When introduced into a vulnerable system, it attempts to harvest email addresses stored in the machine. These email addresses are used to target other computer systems and networks. To spread its payload, it takes advantage of shared folders and removable devices.

More details about [email protected]

The [email protected] worm functions by spreading spam email messages and disabling any active security applications in the vulnerable machine. The action is presumably done in order to further lower security of the compromised machine. The email messages containing this threat may contain various text like "Job Offer from Coca Cola", "You received a Hallmark E-Card", and "Thank You for your application" among others. The spam email may include an attachment named postcard.pdf.exe which when clicked may display animal cartoon images on the computer screen. In the background, the [email protected] malware generates a copy of itself in the System folder using the javale.exe filename. It may also use the javame1.1.exe and javawx.exe filenames along with other randomly named DLL files. The malware likewise modifies certain registry key entries in order to gain the ability to load on system startup.

The Windows Registry is also used to inject its codes into the Internet Explorer browser. Controlling the Web browser allows it to automatically connect to http://whatismyip.com/automation/n09230945.asp address in order to detect the IP address used by the compromised machine. It then attempts to connect to a predetermined website in order to download other Trojans and worms into the infected machine. The worm [email protected] simultaneously begins spreading itself using the entries found in the Windows Address Book. The severity and complexity of the infection caused by this malware makes manual removal difficult and may require the use of dependable antivirus applications with updated engine and database files.