, Win32.Bibrog.B, WORM_BIBROG.B, I-Worm.Bibrog.e, Win32/[email protected]
Email-Worm.Win32.Bibrog.e, W32/[email protected]
, Win32.HLLM.Generic.156, W32/Bibrog-C, WORM_BIBROG.D
Category: Computer Worm
North America, South America, Asia, some parts of Europe
02 Mar 2003
The [email protected]
malware is a mass mailing worm that propagates by using Microsoft Outlook for sending its code to all contacts found in Outlook’s Address Book.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The [email protected]
worm allegedly spreads via email. Once run, it will open a shooting game. It will copy the files C:\ windows\ system\ academia.exe, C:\ Windows\ manzana and Itch.exe and Itcj.exe in the C:\ Window\ Start Menu\ Programs\ Startup folder. This worm will also create the C:\ Windows\ Mai.vbs file which is only 2 bytes long and is not dangerous to the system. The worm will then attempt to copy itself using filenames like Kylie_Minogue_screeensaver.exe and Shakira_screensaver.exe to Shared directories of P2P applications installed in the machine (if any) such as KaZaa, Morpheus, Grokster and ICQ. It will also attempt to delete files having the extensions .jpg, .zip, .gif, .mp3, .dbf, .mpg, .dll and .exe. When the system is restarted, the [email protected]
worm will run the Itch.exe and will create certain registry keys.
Next, the worm will send an email message to the addresses it has gathered from Outlook. This email message has the subject ‘La Academia Azteca’ (also the name of the shooting game the worm opens upon execution), the message ‘La cacademia azteca (muy bueno) ¡no es virus! and the attachment Academia.exe. The worm will then create the files Quiettime.bmp and Osiris.bmp in the C:\ windows folder and change the wallpaper to one of the newly created files by modifying the file Win.ini. and adding the values Wallpaper=%Windir% quiettime.bmp and Wallpaper=%Windir% osiris.bmp to [Desktop] line. The next time the user starts Windows, the wallpaper will be set to the Spawn logo or the Spawn picture. It will also create the files Banamex.htm, Acafug.htm, Citibank.htm, yahoo.htm and Msn.htm. These files are masked as widely visited website login pages and they are tasked to obtain login details for sending to the worm’s author.