W32/Hardoc-A, W32/[email protected]
Category: Computer Worm
North and South America, Africa, Asia, Europe, Australia
10 Jul 2004
As a type of mass mailing Worm, it is widely believed that an infection from the [email protected]
malware comes from spiked email messages. This is primarily because it makes use of the entries in the Windows Address Book to find potential targets where it can send its malicious codes. The Worm exploits Multipurpose Internet Mail Extension vulnerabilities to automatically initiate an infection on any vulnerable computer system.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
A computer system infected with the [email protected]
Worm would initially experience the display of a bogus message box that informs the user that there is not enough available memory in the machine. The malware would attempt to make the message box look as authentic as possible by using "Error" as title and placing an OK button that the user can click on to close the message box. The [email protected]
at this point is already creating a copy of itself using an executable file format. It will create a new key value in the Windows Registry which it will associate with its executable file. This new entry will provide the [email protected]
with the ability to launch each time the infected machine is powered up or rebooted.
After the [email protected]
has successfully installed its executable file and created its Windows Registry key, it will proceed to harvest the contents of the Windows Address Book in an attempt to begin its propagation routine. Since the [email protected]
has a built-in Simple Mail Transfer Protocol engine, it is capable of sending email messages discretely to the target computer systems. The email messages usually contain the text "!!! Power Point !!!" in the body of the message. The [email protected]
will attach a file that is disguised as a screensaver but in actuality contains the malware's codes.