[email protected]

Aliases: I-Worm.Alcaul.n, [email protected], W32/[email protected], W32/Syra.B
Variants: WORM_SEXSOUND.B, Win32.Alcaul.AA, W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North America, South America, Europe
Removal: Hard
Platform: W32
Discovered: 14 Feb 2002
Damage: Medium

Characteristics: One of the most destructive payloads delivered by this particular malware is that it hunts down system files and tools. The result is the [email protected] worm corrupting these files by placing the machine in an endless loop until it runs out of resources and freezes or enters a Blue Screen of Death.

More details about [email protected]

One of the indications of infections from the [email protected] program is the presence of the files Win.exe and Clickme.exe in the Desktop folder of the Windows directory. Other folders like Sendto\ Oceans11 and Favorites\ A Beautiful Mind are created by this malware under the Windows directory. The [email protected] malware likewise represents itself as the Regedit.exe, Scanregw.exe, Tuneup.exe, Rundll64.exe, and Windows.exe files in the Windows directory. The Disney.scr and File1980.com among others are also placed in the root directory of the main hard drive. Aside from the Windows Address Book contents, the [email protected] program also replaces all screensaver files in the infected machine. Files with the extension HTM and HTML are also being targeted by this malware.

Moreover, a file named Blank.html is dropped in the root directory and allows the [email protected] program to connect voluntarily to a home page designated by the malicious author. It then downloads more dangerous codes into the already infected computer system to further compromise its security. The downloaded file targets all Word and Excel created files which are then used as attachments to spread the malicious codes. The [email protected] program proceeds by creating a series of scripts, batch files, text files, and registry files all with the intention of instituting and spreading its payload. The worm also modifies the contents of the Script.ini file giving it access to mIRC functionality and uses it to further spread the infection. An email message with a spiked attachment is also sent to all mIRC contacts of the computer user.