[email protected]


Aliases: W32/Hardoc-A, W32/[email protected], Win32.Hardoc.A
Variants: hardoc, WORM_HARDOC.A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: North and South America, Africa, Asia, Europe, Australia
Removal: Easy
Platform: W32
Discovered: 10 Jul 2004
Damage: Low

Characteristics: As a type of mass mailing Worm, it is widely believed that an infection from the [email protected] malware comes from spiked email messages. This is primarily because it makes use of the entries in the Windows Address Book to find potential targets where it can send its malicious codes. The Worm exploits Multipurpose Internet Mail Extension vulnerabilities to automatically initiate an infection on any vulnerable computer system.

More details about [email protected]

A computer system infected with the [email protected] Worm would initially experience the display of a bogus message box that informs the user that there is not enough available memory in the machine. The malware would attempt to make the message box look as authentic as possible by using "Error" as title and placing an OK button that the user can click on to close the message box. The [email protected] at this point is already creating a copy of itself using an executable file format. It will create a new key value in the Windows Registry which it will associate with its executable file. This new entry will provide the [email protected] with the ability to launch each time the infected machine is powered up or rebooted.

After the [email protected] has successfully installed its executable file and created its Windows Registry key, it will proceed to harvest the contents of the Windows Address Book in an attempt to begin its propagation routine. Since the [email protected] has a built-in Simple Mail Transfer Protocol engine, it is capable of sending email messages discretely to the target computer systems. The email messages usually contain the text "!!! Power Point !!!" in the body of the message. The [email protected] will attach a file that is disguised as a screensaver but in actuality contains the malware's codes.