[email protected]

Aliases: W32.Protex.Worm, WORM_DUKSTEN.B, W32/Prestige-A, I-Worm.Duksten.b, W32/[email protected]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 23 Oct 2002
Damage: Low

Characteristics: [email protected] uses mass mailing method to infect the victim machine. This worm can cause the computer to crash and continuously reboot after it crashes. It usually infects all Windows Operating System platforms known today. This worm is also known as a backdoor worm capable of downloading remote files and lowering the security settings of the compromised computer.

More details about [email protected]

The worm is written in Windows PE EXE. Its encrypted file is about 10Kb in size. Once opened, it copies itself to System directory folders using different filenames. It also continuously updates itself and downloads program spreading it consequently in the infected machine. A mass mailing email worm is a self-contained malicious code that propagates by sending itself via email. Typically, a mass mailing email worm uses its own SMTP engine to send itself, thus copies of the sent worm will not appear in the infected user’s outgoing or sent email folders. During its infection process, it normally sends a zipped copy of itself to all contacts in the Windows Address Book. The email message contains the following information, “From: [email protected],” then on its subject, “Subject: ProTeccion TOTAL contra W32/Bugbear (30dias).” It also has an attachment with the filename “PROTECT.ZIP”.

In addition, this worm shows a box saying, “Su Pc <-_NO_-> fue infectado por el W32/Bugbear, Protector sera operative durane 30dias pasado ese tiempo debera REeGistrar su copia siguiendo las intrucciones att::staff.” The user will then be prompted to click the “yes” button. Like other worms, it modifies system registry files so that it will run every time the windows starts. Before mass mailing the compromised computer’s contacts, this worm continuously searches for the default mail account on the SMTP server. If it is successful, it will duplicate itself to all contacts in the Windows Address Book. If the current system year is 2003, the worm tries to restart Windows. Regedit.exe files are also compromised and may not be effective in removing the worm through this method because the worm also copies itself to the Windows directory under the name regedit.exe, while making a backup copy of the original REGEDIT.EXE file under the name m_regedit.exe.