Aliases: Win32.Aimdes.A, IM-Worm.Win32.Aimes.a, W32/AimDes.worm, W32/Aimdes-A, WORM_AIMDES.A
Variants: Trojan.Startpage.E,
[email protected], W32/Bobax-D, Multidropper.AXY, AFXrootkit
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 11 Feb 2005
Damage: Medium
Characteristics: Considered as a fast spreading Worm, the
[email protected] program is considered as an active online threat.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
The
[email protected] program makes use of the Instant Messaging service of America Online (AOL) to distribute its payload. It may also send various email messages with spiked attachments using random subjects. Upon execution of the
[email protected] malware, it will initially generate different support files needed for its payload delivery routine. Among the commonly targeted directories include Windows, Documents and Settings, and Program Files among others. It may attempt to create its own folder within these directories as in the case of Program Files wherein the Sony\ VAIO Action Setup folder is created. Some of its files may reside in the Startup folder of the system. The Msvbdll.pif, MsVBdll32.exe, and msVBdll.exe are some of the files closely associated with the
[email protected] threat. The Windows Registry is likewise modified by this malware to allow it to automatically launch at every startup or bootup sequence.
The
[email protected] also makes use of the Windows Registry to disable the functionality of the Windows Task Manager tool. It is presumed that this is done in order to prevent the computer user from terminating its background running processes. Part of the payload of the
[email protected] is to disable the notification alerts provided by the Windows Security Center. This is done in preparation for its termination of all security and protection related programs and processes in the infected machine. With the notification alert disabled, the computer user is lulled into a false sense of security thinking that protection programs are still active in the machine. The malware has been observed to automatically launch AOL messenger and randomly place the infected computer into Sleep Mode. The infected machine may also display message boxes intermittently which are more of an annoyance than anything else.