[email protected]

Aliases: W32/[email protected], W32/Banwarum.G
Variants: W32/Banwarum.dll

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Slow
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 06 Jul 2006
Damage: Low

Characteristics: The [email protected] worm is capable of spreading its infection via peer to peer networks like Morpheus, LimeWire, eDonkey2000, iMesh and KaZaa.

More details about [email protected]

When the [email protected] worm successfully enters a computer system, it will create the mutex TurkishCool and the file [RANDOM].dll in the C:\ Windows\ System folder. It will also alter some registry subkeys by also adding a certain value. These registry subkeys are modified by this worm so that it can also execute once Windows starts up. It will then add certain values to the registry subkey as markers of its infection. The [email protected] worm will then send gathered information from the infected machine to the site http:// and obtain email addresses from the Windows Address Book. It will subsequently send the collated email addresses to the site http:// w.p[REMOVED] and download potentially malicious files from the site http:// load[REMOVED].

This worm allegedly sends email messages via Microsoft Outlook. These emails have an infected .zip file attached to them. The "From" field of the email is blank, the "Subject" field is titled Antivirus Project, the message states “Hi! How are you? This is the best soft form Microsoft Windows Planforms. I’ve like it very much…”, and the attachment is in the filename uti_v2_5.zip. The worm will then proceed to search the registry for certain folders so that it can copy itself. It will also try to copy itself in the locations [FOLDER 1], [FOLDER 2]\ My Shared Folder, C:\ Program Files\ eDonkey2000\ incoming, C:\ Program Files\ LimeWire\ Shared and [FOLDER 3] using a host of filenames related to legitimate software applications. It will also display a message that states ‘Run program?’ and if users click on ‘Yes’, it will display a message asking if the user is sure about a file’s installation and if users click on ‘Yes’, the worm will delete the copy that was first executed.