[email protected]

Aliases: I-Worm.Cissi (AVP) / [email protected] (Symantec)/ W32/Cissi.worm.gen / WORM_CISSI.A (Trend)
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: active
Spreading: Low
Geographical info: Low
Removal: Easy
Platform: W32
Discovered: 22 Dec 2003
Damage: medium

Characteristics: [email protected] is one of email mass-mailing worms circulating through a lot of emails.

More details about [email protected]

The [email protected] program allegedly contains backdoor functionality to connect to an IRC server. Another feature of this worm is to wait for commands. It expands over the network using the NetBIOS protocol and steals IP addresses. It can spread to systems that do not have passwords or to ones that have simple passwords. This worm targets and multiplies through network shares and email. It can also have a predefined user name and password list to try to gain access. The worm continuously locates the System files and or folders as it duplicates itself on that location. This worm can also enumerate mapped drives on the system, and then create a copy of itself on any mapped drive where it has sufficient access rights. It also automatically creates user such as guest, administrator, owner and root which you do not know.

This worm has bugs and this may cause computer crashes and system slowdowns. If these symptoms happen, then your computer is infected. Other symptoms include unusual amount of outbound connection port 139. The worm is easily removed just by deleting any file that contains its detection. You also need to have a current engine and DAT files for detection.