[email protected]

Aliases: I-Worm.Assarm, WORM_ASSARM.A
Variants: W32/Assarm.worm, Win32/Assarm.Worm

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Europe, North and South America, Asia
Removal: Easy
Platform: W32
Discovered: 02 Aug 2002
Damage: Low

Characteristics: The [email protected] program falls under the category of mass mailing Worms which scans the contents of the user's mailbox using Microsoft Outlook. This malware will reply to all unread messages contained in the mailbox only if it is Monday or Thursday and the time is 6:00 to 12:00 am or pm.

More details about [email protected]

This mass mailing Worm normally arrives at a targeted computer system as a type of reply to a message from an infected computer system's user. The user's name is included in the message body to give it an air of legitimacy. As with majority of mass mailing malware, the [email protected] program also carries a file attachment which usually makes use of the bill.exe, card.exe, click.exe, demo.exe, data.exe, docs.exe, Flash.exe, Game.exe, Fun.exe, humor.exe, images.exe, mp3.exe, news_doc.exe, 10 different Korean names.exe, and opinion.exe filenames. When the file attachment is launched, a message box supposedly from VeriSign will be displayed to the computer user. When the message box is closed, another will be launched by the [email protected] program informing the user of a damaged ActiveX Control component. This display hides the background process of the malware of creating an instance of itself in the Windows directory using the win.ini and svchost.exe filenames.

Moreover, when the infected computer system is restarted, the [email protected] program will automatically launch and scan the system date. If the day falls on either a Monday or a Thursday, the system time will be checked. When the time is between 12:00 to 5:00 am or pm, the malware will display a message box but will not spread its codes. It will however launch its propagation routine at any other time of the said days. The propagation routine will scan for all unread messages but will not harvest email address from the Windows Address Book.