[email protected]

Aliases: Email-Worm.Win32.Atak.c, W32/[email protected], WORM_ATAK.GEN, W32/[email protected], WORM_ATAK.D
Variants: Win32.Atak.D, Win32/Atak.D.Worm, W32/[email protected], W32/Atak-B, Email-Worm.Win32.Mydoom.ad

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 03 Dec 2004
Damage: Low

Characteristics: This mass mailing Worm scans certain files in the infected computer system in order to harvest email addresses that it can use to spread its codes. The [email protected] program makes use of its built-in SMTP engine to send its spiked email messages to the harvested accounts.

More details about [email protected]

The email message sent by the [email protected] malware usually makes use of a spoofed email address in the "From" field of the message. It has been observed to make use of names like Huck, Jose, Vladimir, Hanson, Linda, and Jane among others. All of these names of course are bogus. The subject line of the email address can be randomly picked from a list of possibilities prepared by the malicious author. Like most mass mailing Worms, the [email protected] program also makes use of a file attachment which normally uses the ZIP, BAT, SCR, EXE, PIF, or COM file extension. The email addresses recovered by the malware can be harvested from a number of files stored in the local hard drive of the infected machine. File extensions like EML, NCH, MBX, LOG, JSP, CGI, MSG, ADB, and WAB are but some types that the malware looks for to get target email addresses.

During the execution of the [email protected] malware, it normally places the svrhost.exe file in the System folder of the Windows directory. Correspondingly, a Windows Registry key will be created for the Worm. An entry will also be appended into the Windows initialization file. These steps are done to ensure that the malware will load automatically together with the operating system. Once the Worm loads on boot up or startup, it will immediately attempt to illegally terminate processes and programs that are associated to system security. There is a possibility that Windows Registry key entries for these programs and protocols may be removed by the malware.