[email protected]

Aliases: Win32.Ahker.B, Email-Worm.Win32.Anker.a, W32/Ahker-B, WORM_AHKER
Variants: Email-Worm.Win32.Anker.a, W32/[email protected], Win32.HLLM.Generic.314, Win32/[email protected], WORM_AHKER.B

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 26 Jan 2005
Damage: Medium

Characteristics: The contents of the Windows Address Book are used by the [email protected] malware to send its codes to other unwary computer users. The email message is disguised in such a way that it will prompt the recipient to launch the attachment which will execute the malware into the targeted machine.

More details about [email protected]

The [email protected] mass mailing worm does not only target the WAB file but also the Windows Host file. This file affects how the Web browser communicates with websites. Modification of this file can allow the malware to redirect the Web browser to malicious websites and cause the automatic downloading of dangerous codes. The process of downloading may occur without the computer user's knowledge or intervention. An infection from the [email protected] malware may also cause undesired changes in the behavior of the operating system. According to some previous instances of infections, the Run command may disappear or fail to launch from the Start menu. Some applications like Notepad, Registry Editor, and even Windows Task Manager may be disabled by this malware. It is believed that this is done to make sure that the computer user will not be able to terminate the running processes of the malware.

The services.exe file is also introduced by the malware into the infected machine by storing it under the Windows directory. This executable file has a corresponding Windows Registry entry which attempts to identify the malicious file as a legitimate service of an antivirus application. Other programs affected by the [email protected] malware may include Wordpad, MSN Messenger, and Windows Update. The SVCHOST and LSASS processes of the operating system are likewise terminated by the malware. Processes associated with security and antivirus programs are also ended prematurely which may lead to corruption. A reliable antivirus program with an updated virus engine and database may be required to totally remove this malware from an infected machine.