Backdoor.Win32.Rbot.AEU, W32/[email protected]
, WORM_ARESES.B, WORM_ARESES.GEN
Trojan-PSW.Win32.LdPinch.hk, Worm: [email protected]
, Trojan-Dropper.Win32.Agent.ami, WORM_ARESES.GEN, W32/Bagle-GO
Category: Computer Worm
03 May 2006
The [email protected]
program belongs to a category of malware known as mass mailers. These types of threats are characterized by their ability to scan for the presence of email addresses which are used to spread its codes. This Worm has been described to open a backdoor allowing entry of more threats.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Upon execution in the targeted machine, this malware will create the csrss.exe file under the Windows directory. However, if the [email protected]
program is launched from a virtual machine, no file will be created but the Web browser will be automatically launched (if not yet open) and redirected to the www.nahuy.com website. In case the computer system is already infected by this malware and another instance is introduced, the Notepad application will be executed automatically instead. The [email protected]
program is equipped with its own SMTP engine which makes the sending of email messages easier. It also sends out an accompanying file attachment which is usually in CAB file format. These email messages and attachment are sent to every entry found in the Windows Address Book of the compromised computer system. Files using the extension HTM, DHTML, SHTM, and DHTML are also targeted by the [email protected]
program to look for more email addresses that it can harvest.
It has been reported that this malware also avoids certain email addresses that contain specific text (normally referencing antivirus developers) to avoid the sending of its codes to entities that can potentially provide an antidote to its payload. The [email protected]
program has been discovered to contain codes that will redirect the Web browser to specific websites where it can download more dangerous codes. It is widely believed that these websites are controlled by the same author. Random TCP ports are used by this malware in attempting the unauthorized connections.