Aliases: I-Worm.Beglur.b, W32/
[email protected], WORM_GLUBER.B, Win32/HLLW.Burl.B, Email-Worm.Win32.Beglur.b
Variants: Win32.Bugler.B, W32/
[email protected], I-Worm.Beglur.b, Win32.HLLM.Bugler.2, W32/Bugler-B
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 Dec 2003
Damage: Medium
Characteristics: This threat possesses a built-in remote access component which allows it to provide its malicious author with the means of remotely attacking infected computer systems. The
[email protected] belongs to a family of mass mailing Worms which are known for harvesting email addresses from the infected machine. This Worm can also utilize weakly protected network shares aside from spiked email messages to spread its codes to other computer systems or network environments.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
Believed to belong to the
[email protected] malware family, the
[email protected] Worm was designed with its own Simple Mail Transfer Protocol engine. This gives it the capability of sending out email messages to the harvested addresses without necessarily requiring user intervention. Aside from the Windows Address Book, the
[email protected] may also target other files which are potential sources of email addresses. Among the commonly observed file types scanned by this threat includes text files, hypertext, ASP, mailbox folders, and Java files among others. The subject, body, and file attachments used by the
[email protected] comes from a predefined list which is believed to be hard coded into the malware. The file extensions of the attachments vary from batch, executable, screensaver, and command file types among others.
The remote access functionality of the
[email protected] malware is normally executed via an unsecured backdoor opened in the compromised machine. It has been observed that this particular threat makes use of the port 5373 to listen for additional commands from its malicious author. The backdoor initiated by the
[email protected] remains widely undetected primarily due to its routine of indiscreetly terminating system monitoring utilities as well as antivirus protection protocols. The presence of the
[email protected] in a compromised machine is normally marked by files using strange filenames. The file extensions used by these file traces may also be random.