[email protected]

Aliases: Backdoor.Win32.Rbot.AEU, W32/[email protected], WORM_ARESES.B, WORM_ARESES.GEN
Variants: Trojan-PSW.Win32.LdPinch.hk, Worm: [email protected], Trojan-Dropper.Win32.Agent.ami, WORM_ARESES.GEN, W32/Bagle-GO

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 03 May 2006
Damage: Medium

Characteristics: The [email protected] program belongs to a category of malware known as mass mailers. These types of threats are characterized by their ability to scan for the presence of email addresses which are used to spread its codes. This Worm has been described to open a backdoor allowing entry of more threats.

More details about [email protected]

Upon execution in the targeted machine, this malware will create the csrss.exe file under the Windows directory. However, if the [email protected] program is launched from a virtual machine, no file will be created but the Web browser will be automatically launched (if not yet open) and redirected to the www.nahuy.com website. In case the computer system is already infected by this malware and another instance is introduced, the Notepad application will be executed automatically instead. The [email protected] program is equipped with its own SMTP engine which makes the sending of email messages easier. It also sends out an accompanying file attachment which is usually in CAB file format. These email messages and attachment are sent to every entry found in the Windows Address Book of the compromised computer system. Files using the extension HTM, DHTML, SHTM, and DHTML are also targeted by the [email protected] program to look for more email addresses that it can harvest.

It has been reported that this malware also avoids certain email addresses that contain specific text (normally referencing antivirus developers) to avoid the sending of its codes to entities that can potentially provide an antidote to its payload. The [email protected] program has been discovered to contain codes that will redirect the Web browser to specific websites where it can download more dangerous codes. It is widely believed that these websites are controlled by the same author. Random TCP ports are used by this malware in attempting the unauthorized connections.