I-Worm.Alcaul.n, [email protected]
, W32/[email protected]
WORM_SEXSOUND.B, Win32.Alcaul.AA, W32/[email protected]
Category: Computer Worm
Active & Spreading
Asia, North America, South America, Europe
14 Feb 2002
One of the most destructive payloads delivered by this particular malware is that it hunts down system files and tools. The result is the [email protected]
worm corrupting these files by placing the machine in an endless loop until it runs out of resources and freezes or enters a Blue Screen of Death.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
One of the indications of infections from the [email protected]
program is the presence of the files Win.exe and Clickme.exe in the Desktop folder of the Windows directory. Other folders like Sendto\ Oceans11 and Favorites\ A Beautiful Mind are created by this malware under the Windows directory. The [email protected]
malware likewise represents itself as the Regedit.exe, Scanregw.exe, Tuneup.exe, Rundll64.exe, and Windows.exe files in the Windows directory. The Disney.scr and File1980.com among others are also placed in the root directory of the main hard drive. Aside from the Windows Address Book contents, the [email protected]
program also replaces all screensaver files in the infected machine. Files with the extension HTM and HTML are also being targeted by this malware.
Moreover, a file named Blank.html is dropped in the root directory and allows the [email protected]
program to connect voluntarily to a home page designated by the malicious author. It then downloads more dangerous codes into the already infected computer system to further compromise its security. The downloaded file targets all Word and Excel created files which are then used as attachments to spread the malicious codes. The [email protected]
program proceeds by creating a series of scripts, batch files, text files, and registry files all with the intention of instituting and spreading its payload. The worm also modifies the contents of the Script.ini file giving it access to mIRC functionality and uses it to further spread the infection. An email message with a spiked attachment is also sent to all mIRC contacts of the computer user.