[email protected]

Aliases: Win32.Aimdes.A, IM-Worm.Win32.Aimes.a, W32/AimDes.worm, W32/Aimdes-A, WORM_AIMDES.A
Variants: Trojan.Startpage.E, [email protected], W32/Bobax-D, Multidropper.AXY, AFXrootkit

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 11 Feb 2005
Damage: Medium

Characteristics: Considered as a fast spreading Worm, the [email protected] program is considered as an active online threat.

More details about [email protected]

The [email protected] program makes use of the Instant Messaging service of America Online (AOL) to distribute its payload. It may also send various email messages with spiked attachments using random subjects. Upon execution of the [email protected] malware, it will initially generate different support files needed for its payload delivery routine. Among the commonly targeted directories include Windows, Documents and Settings, and Program Files among others. It may attempt to create its own folder within these directories as in the case of Program Files wherein the Sony\ VAIO Action Setup folder is created. Some of its files may reside in the Startup folder of the system. The Msvbdll.pif, MsVBdll32.exe, and msVBdll.exe are some of the files closely associated with the [email protected] threat. The Windows Registry is likewise modified by this malware to allow it to automatically launch at every startup or bootup sequence.

The [email protected] also makes use of the Windows Registry to disable the functionality of the Windows Task Manager tool. It is presumed that this is done in order to prevent the computer user from terminating its background running processes. Part of the payload of the [email protected] is to disable the notification alerts provided by the Windows Security Center. This is done in preparation for its termination of all security and protection related programs and processes in the infected machine. With the notification alert disabled, the computer user is lulled into a false sense of security thinking that protection programs are still active in the machine. The malware has been observed to automatically launch AOL messenger and randomly place the infected computer into Sleep Mode. The infected machine may also display message boxes intermittently which are more of an annoyance than anything else.