[email protected]

Aliases: Win32/Blackmal.B.Worm, Win32.Blackmal.B, W32/[email protected]
Variants: W32/Nyxem-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, Australia
Removal: Hard
Platform: W32
Discovered: 01 Apr 2004
Damage: Medium

Characteristics: Like most mass mailing Worms, this malware also arrives at a vulnerable computer system usually as an attachment from a spiked email message. The [email protected] program makes use of the stored email addresses in the compromised machine to deliver its payload and spread its codes.

More details about [email protected]

This malware is commonly circulated in email messages that attempt to spoof alerts coming from legitimate antivirus developers. The [email protected] Worm would go as far as including a logo image of the antivirus product or company that it is imitating. The body of the message normally notifies the user of potential risks to Microsoft Word produced documents or infections from attached image files among others. The filename used by this malware may be random but would normally have the EXE, SCR, COM, or ZIP file extension. A variation of the Worm's email message is more of an adult nature with supposedly image file attachments. When the [email protected] program successfully infects a targeted computer system, it normally proceeds by scanning the machine for the presence of any antivirus or similar protection programs. The Worm will then go into the folder of the application located in the Program Files directory and would attempt to delete all the contents of the location especially EXE format files.

According to several reports, the Windows Registry will also be stripped of any information relating to any security programs or processes. The [email protected] program will also target the security protocols built into the host Operating System of the infected machine. When its execution has been successful, the [email protected] program will attempt to open Windows Media Player to play a bogus file. It will then display a message box advising the computer user to attempt to play the file from within Internet Explorer. This action may allow the Worm to introduce more malicious codes into the already infected computer system.