[email protected]

Aliases: W32/[email protected], Win32.Bibrog.B, WORM_BIBROG.B, I-Worm.Bibrog.e, Win32/[email protected]
Variants: Email-Worm.Win32.Bibrog.e, W32/[email protected], Win32.HLLM.Generic.156, W32/Bibrog-C, WORM_BIBROG.D 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North America, South America, Asia, some parts of Europe
Removal: Hard
Platform: W32
Discovered: 02 Mar 2003
Damage: Low

Characteristics: The [email protected] malware is a mass mailing worm that propagates by using Microsoft Outlook for sending its code to all contacts found in Outlook’s Address Book.

More details about [email protected]

The [email protected] worm allegedly spreads via email. Once run, it will open a shooting game. It will copy the files C:\ windows\ system\ academia.exe, C:\ Windows\ manzana and Itch.exe and Itcj.exe in the C:\ Window\ Start Menu\ Programs\ Startup folder. This worm will also create the C:\ Windows\ Mai.vbs file which is only 2 bytes long and is not dangerous to the system. The worm will then attempt to copy itself using filenames like Kylie_Minogue_screeensaver.exe and Shakira_screensaver.exe to Shared directories of P2P applications installed in the machine (if any) such as KaZaa, Morpheus, Grokster and ICQ. It will also attempt to delete files having the extensions .jpg, .zip, .gif, .mp3, .dbf, .mpg, .dll and .exe. When the system is restarted, the [email protected] worm will run the Itch.exe and will create certain registry keys.

Next, the worm will send an email message to the addresses it has gathered from Outlook. This email message has the subject ‘La Academia Azteca’ (also the name of the shooting game the worm opens upon execution), the message ‘La cacademia azteca (muy bueno) ¡no es virus! and the attachment Academia.exe. The worm will then create the files Quiettime.bmp and Osiris.bmp in the C:\ windows folder and change the wallpaper to one of the newly created files by modifying the file Win.ini. and adding the values Wallpaper=%Windir% quiettime.bmp and Wallpaper=%Windir% osiris.bmp to [Desktop] line. The next time the user starts Windows, the wallpaper will be set to the Spawn logo or the Spawn picture. It will also create the files Banamex.htm, Acafug.htm, Citibank.htm, yahoo.htm and Msn.htm. These files are masked as widely visited website login pages and they are tasked to obtain login details for sending to the worm’s author.