[email protected]

Aliases: I-Worm.Antiman.D1, Email-Worm.Win32.Antiman.c, W32/Antiman-D, Win32/Antiman.worm.44544, W32/Generic.Delphi.c
Variants: not-a-virus:AdWare.Win32.AdMoke, Email-Worm.Win32.Antiman, WORM_ANTIMAN, W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Europe, North America
Removal: Hard
Platform: W32
Discovered: 25 Apr 2005
Damage: Low

Characteristics: The [email protected] malware is equipped with a Simple Mail Transfer Protocol engine allowing it to freely send email messages to addresses harvested from the infected machine. As a mass mailing Worm, its payload delivery requires the recipient to launch its attached file. This is done via misleading email message contents.

More details about [email protected]

As a mass mailing Worm, the [email protected] program normally arrives at a targeted computer system as a seemingly innocent file attachment. When launched, it extracts the file funny.scr into the Windows directory. A certain Windows Registry key is searched to install an instance of its main executable file. This causes the malware to automatically load at every startup or reboot process. Another file named startwin.exe is placed by the [email protected] program into the Startup subfolder of the user's account. Another file called m.txt is placed in the root directory of the main hard drive. The keys SCRNSAVE.EXE and ScreenSaveTimeOut are added into the system's Windows Registry key. Email addresses are retrieved by the [email protected] program from the email's outbox, inbox, and deleted items folders of Microsoft Outlook. The log files of the Yahoo! Instant Messenger client is also inspected by this malware to gather more email addresses to target.

The [email protected] malware's own SMTP engine coordinates with the SMTP server of the hijacked machine to make sure that all email messages are successfully sent to their intended recipients. The [email protected] malware chooses from a predefined set of subject lines, message body, and file attachment names when attempting to send out email messages to the harvested email addresses. The file attachments may have one or more file extensions. Regardless of the number of file extensions used, EXE will always be the last extension of the file attachment.