[email protected]

Aliases: W32/Higuy-A, W32/[email protected], WORM_HIGUY.A, win32.frantes.a, worm_porkis.a
Variants: troj/dloader-ym, [email protected], w32/porkis-a, [email protected], [email protected]

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North America, South America, Europe, Asia, Africa, Australia
Removal: Easy
Platform: W32
Discovered: 14 Jun 2002
Damage: Low

Characteristics: The [email protected] like typical mass mailing Worms is capable of harvesting information stored in the Windows Address Book. It makes use of the Simple Mail Transfer Protocol to send its codes to all the email addresses it has collected from the compromised machine. Consistent with the characteristics of these types of threats, it also includes an executable file attachment which the recipient must execute to being the Worm's infection routine.

More details about [email protected]

After successfully entering a vulnerable computer system, the [email protected] will attempt to extract a copy of itself using an EXE file extension. The infected machine will also experience the display of a message box using the word Error as its title. This message box will inform the unsuspecting computer user that there is a problem with a specific Dynamic Link Library file on the computer system. The message of course is bogus and generated mainly by the [email protected] to hide its background operation of modifying the Windows Registry keys as well as harvesting email addresses from the Windows Address Book. The [email protected] will use its built-in Simple Mail Transfer Protocol engine to send out the spiked email messages to all contacts it has retrieved.

The subject line of the email message sent by the [email protected] normally contains the word Incredible, Incredibile, Qualsiasi, or Urgente. The message body itself is designed in such a way that it will convince the recipient to launch the accompanying executable file attachment to infect the computer system. The [email protected] may takeover the user's account to give the sent email message an air of authenticity. The [email protected] has been closely linked to the use of TCP port 5001 during the execution of an unsecured backdoor on the compromised machine. The backdoor feature is an alternative to the fake message display.