[email protected]

Aliases: Win32.Banish.A, Email-Worm.Win32.Banish.a, W32/Banish.worm, W32/[email protected], W32/Banish-A
Variants: Email-Worm.Win32.Banish.b

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 01 May 2005
Damage: Medium

Characteristics: The [email protected] malware is a mass mailing worm. This malware is capable of spreading via the network by taking advantage of the Microsoft Windows LSASS Buffer Overrun Vulnerability.

More details about [email protected]

The [email protected] worm’s main characteristic is its ability to exploit the Microsoft Windows LSASS Buffer Overrun Vulnerability. This vulnerability is a stack-based overflow in specific service functions of the Active Directory in the LSASRV.DLL file of LSASS or Local Security Authority Subsystem Service in most Microsoft Windows Operating Systems. This vulnerability is exploited by the [email protected] worm and the more popular Sasser worm. This vulnerability permits remote users to run arbitrary malicious codes through a packet that can cause the function DsRolerUpgradeDownlevelServer to make lengthy debug entries for the log file DCPROMO.LOG. When run in the infected computer system, the [email protected] worm will first copy itself as lsass.exe, smss.exe, winlogon.exe, services.exe and csrss.exe in the C:\ Windows folder. Next, the worm will create a service with the display name being ‘Windows Object Manager’ and the description ‘Randomly copied characteristics of an already existing service’.

The [email protected] worm also makes some changes to the registry by adding values to existing registry subkeys. The worm will also obtain email addresses by sending queries to the most widely used search engines and send emails to the addresses with a catchy or official sounding subject line. The emails will have an attachment that has a filename borrowed from the target machine’s UserProfile folder. The worm will then begin to scan for vulnerable machines and attempt to exploit the LSASS vulnerability. It will monitor the network traffic in an attempt to steal important passwords and delete files in the folder C:\ Windows\ repair.