[email protected]

Aliases: W32/Ameter. Asunto, W32/Ameter
Variants: Über W97M.Killboot, Win32 Worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North and South America, Asia
Removal: Easy
Platform: W32
Discovered: 24 Sep 2002
Damage: High

Characteristics: The [email protected] Worm application is characterized by its payload delivery routine which attempts to overwrite all executable files stored in the Windows directory. However, this malware takes exception on the Emm386.exe and Setver.exe files stored in the same location but remain untouched.

More details about [email protected]

The [email protected] program requires the installation of Borland C++ 6.0 runtime libraries for it to run. It overwrites all .exe files except the files Setver.exe and Emm386.exe stored in the %windir% folder. It is also capable of sending itself to an email address contained within the program. It allegedly adds the value brigadaNT to the Windows Registry key for computer systems running under the Microsoft Windows XP, 2000, and NT Operating System platforms. The value points to the location of the original Worm filename. This means that the [email protected] program is capable of making multiple copies of itself in various locations in the infected hard drive. It is possible that this Worm only allows a single infection instance despite its presence. According to antivirus developers, it checks for the presence of a certain registry key in the Windows Registry. If the entry is not found, the [email protected] program proceeds to overwriting all executable files and displaying a message box with Window title containing the text Brigada Ocho Bitmap Tools.

One of the results of the infection from the [email protected] program is that it may send a copy of itself to the contents of the Windows Address Book. However, before it attempts to send spiked email messages, it searches for a predetermined name in the address book. Once it is found, it sends out an email message prompting the recipient to launch the accompanying attachment. When the installation of the [email protected] program fails, it instructs the recipient to install VB 6.0 tools which it requires to execute. However, if the specific name does not exist in the Windows Address Book, instead of sending out email messages, the [email protected] program continues by deleting all the contents of the Windows directory including its folders and subfolders.