[email protected]


Aliases: W32/Amend.A
Variants: Worm.VB.AATF, Worm.Win32.VB.de, W32/YahLover.worm.gen, Win32.SuspectCrc, Win32/Xema.worm.37888.D

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 May 2007
Damage: Medium

Characteristics: The [email protected] malware belongs to a classification of mass mailing Worms with the ability of using removable storage devices as transport mechanisms. It makes use of the email client to send a copy of itself as a file attachment to unsuspecting recipients found in the computer user's contacts list.

More details about [email protected]

Like majority of mass mailing Worms, the [email protected] malware looks into the contents of the Windows Address Book and uses the list as recipients for the spreading of its codes. The email message may look innocent enough to prompt the receiver to believe that it is harmless. Normally, a message sent by the [email protected] Worm will have the subject line "I love lhw" or "My name is lhw" among others. The name of the file attachment however may be random to complicate the manner of detection. This Worm has been identified to use the System and Temp folders under the Windows directory as storage locations for its associated files. Some of the files identified with this malware include msconfig.exe, regedit.exe, regedit32.exe, and internat.exe among others.

The [email protected] malware allegedly drops a copy of its codes into removable storage devices using the Comand.com filename which is an attempt to mimic the legitimate command.com file of the Windows environment. This file is always accompanied by the autorun.inf file which is used to automatically execute the malware once the removable storage device is accessed by the computer user. The recipients of the spiked email message is prompted to execute the file attachment by including text like "Is this the file you want?" in the body of the message. Since the [email protected] Worm makes use of the infected computer user's account the recipient is further persuaded to believe that the message is authentic. The Messaging Application Protocol Interface is utilized for the sending of email messages.