[email protected]


Aliases: Trojan.Win32.Atendo, W32/[email protected], WORM_ATENDO.A, Win32/Atendo
Variants: Trojan.Win32.Atendo, Trojan:Win32/Atendo, Win32:Trojan-gen, Win32/Payfor.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia
Removal: Hard
Platform: W32
Discovered: 27 Jun 2003
Damage: Medium

Characteristics: The [email protected] program is another type of Worm which scans the contents of the Microsoft Outlook Inbox of the infected computer user. This Worm functions by answering all messages in the Inbox to spread its codes to other computer systems. It attempts to remove certain files from the machine.

More details about [email protected]

Designed as a Portable Executable (PE) file created from the Visual C++ programming language, the [email protected] program is closely associated with the NAV32.EXE, ATENDIMENTO.DOC.EXE, NAV-32.EXE, and the D.EXE files. These files are normally used by the malware as attachments to spiked email messages which it sends out using the Inbox messages of the computer user as a reference. According to some antivirus vendors, the scanning of messages is done in the Inbox of the Microsoft Outlook client. This however does not necessarily mean that other email clients are immune from its effects. The [email protected] malware makes use of the active Internet connection to send out its email messages. This malware reportedly extracts its file components into the System folder of the Windows directory and creates a corresponding Windows Registry key for them. This routine is a basic strategy for most threats to institutionalize the infection.

One of the most damaging payloads associated with this Worm is its ability to delete files and replace the original with its own codes without arousing user suspicion. Supposedly, files using the EXE, XLS, DOC, MDB, DBX, TOP, PST, WPNT, WPTO, WPE, and WPE formats are targeted by this malware. To prevent the user from discovering the removal of these file types, the [email protected] program recreates these files using the contents of the Payback.doc file which is stored in C:\ ARQUIV~1\ NORTON~1 directory folder location. It also appends the text "certified Virus Free" at the end of each email message as part of its routine to deceive the recipient.