[email protected]

Aliases: I-Worm.Bagz.b, W32/[email protected], W32/Bagz-B, WORM_BAGZ.B
Variants: W32/[email protected], W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Fast
Geographical info: Asia, Europe, US, Africa, Australia
Removal: Hard
Platform: W32
Discovered: 04 Oct 2004
Damage: Low

Characteristics: The [email protected] malware is a mass mailing worm with its own SMTP (Simple Mail Transfer Protocol) engine. It uses this engine for sending its code to email addresses harvested from a compromised machine.

More details about [email protected]

The [email protected] worm is a variant of W32/[email protected] It infects a computer system when an email attachment it has infected is opened in the system. The subject of these attachments usually ranges from normal subjects such as ‘eCards’ to alarming subjects such as failure notices. The message of the email usually indicates email problems or violations. The attachments can come in .zip or .exe files such as warning.zip and document.doc.exe. The addresses used by the worm were retrieved from the compromised system. The worm uses the file extensions .txt, .htm, .tbi, .tbb and dbx for harvesting email addresses. When the worm [email protected] enters a system, it will drop files in the C:\ Windows\ System folder. Some of the names of these files have double extensions and spaces in between the .exe and .doc extension. In My Computer or Windows Explorer, files dropped by the malware having the .exe extension will usually be hidden.

This worm will also add certain values to the registry entry so that the worm will execute when Windows reboots. This security threat can deactivate the Windows Firewall and install a network driver to evade detection. It also opens up a backdoor and receives files. Other characteristics of the [email protected] worm include its ability to overwrite the local hosts file to prevent some products from being updated correctly, disable or uninstall certain security products from the compromised machine, and construct messages through its own SMTP engine, attaching a copy of itself within a ZIP archive as an EXE file.