[email protected]

Aliases: Email-Worm.Win32.Agent.gew, W32/Autorun-RI, Email-Worm.Win32.Agent, W32/[email protected], WORM_MYDOOM.CG
Variants: Worm:Win32/[email protected], Win32/Ceein.worm.449024, P2PShared.U, Backdoor:W32/SdBot.CNJ, Win32/Mytob.OO

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Europe, North and South America, Asia
Removal: Easy
Platform: W32
Discovered: 03 Dec 2008
Damage: Medium

Characteristics: The payload delivered by the [email protected] mass mailing Worm is that it attempts to retrieve stored email addresses in the compromised computer. Its presence also indicates an open backdoor which can be used by malicious developers to expose sensitive information stored in the machine. The manner of propagation infects removal devices.

More details about [email protected]

The [email protected] program is a mass-mailing worm that gathers email addresses from the compromised computer and spreads by copying itself to removable media. It also opens a back door on the compromised computer. Also known as the W32/[email protected] program or the WORM_MYDOOM.CG application, the [email protected] program propagates on the computer through removable drives. It also gathers email addresses from the compromised computer for its mass-mailing task. As a mass mailing worm, the [email protected] malware makes use of the entries found in the Windows Address Book to send its codes. The email message normally contains compressed attachments that may use the filenames postcard.zip, coupon.zip, or promotion.zip among others. Once established in the computer system, the [email protected] malware implements a keystroke logging routine together with the opening of an unsecured backdoor. This allows the malicious author to retrieve passwords and other sensitive files which can lead to identity theft and similar unauthorized online activities.

In an attempt to prevent detection, the [email protected] program sends email messages that may utilize random subject messages and the body text is presented in such a way that it will convince the computer user to execute the attached file. The vxworks.exe file serves as the main executable of the malware which is stored in the System folder of the Windows directory. Moreover, upon its execution, the [email protected] program will create an autorun.inf file so that it runs itself when the infected drive is mounted.