[email protected]

Aliases: I-Worm.Beglur.b, W32/[email protected], WORM_GLUBER.B, Win32/HLLW.Burl.B, Email-Worm.Win32.Beglur.b
Variants: Win32.Bugler.B, W32/[email protected], I-Worm.Beglur.b, Win32.HLLM.Bugler.2, W32/Bugler-B

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 21 Dec 2003
Damage: Medium

Characteristics: This threat possesses a built-in remote access component which allows it to provide its malicious author with the means of remotely attacking infected computer systems. The [email protected] belongs to a family of mass mailing Worms which are known for harvesting email addresses from the infected machine. This Worm can also utilize weakly protected network shares aside from spiked email messages to spread its codes to other computer systems or network environments.

More details about [email protected]

Believed to belong to the [email protected] malware family, the [email protected] Worm was designed with its own Simple Mail Transfer Protocol engine. This gives it the capability of sending out email messages to the harvested addresses without necessarily requiring user intervention. Aside from the Windows Address Book, the [email protected] may also target other files which are potential sources of email addresses. Among the commonly observed file types scanned by this threat includes text files, hypertext, ASP, mailbox folders, and Java files among others. The subject, body, and file attachments used by the [email protected] comes from a predefined list which is believed to be hard coded into the malware. The file extensions of the attachments vary from batch, executable, screensaver, and command file types among others.

The remote access functionality of the [email protected] malware is normally executed via an unsecured backdoor opened in the compromised machine. It has been observed that this particular threat makes use of the port 5373 to listen for additional commands from its malicious author. The backdoor initiated by the [email protected] remains widely undetected primarily due to its routine of indiscreetly terminating system monitoring utilities as well as antivirus protection protocols. The presence of the [email protected] in a compromised machine is normally marked by files using strange filenames. The file extensions used by these file traces may also be random.