[email protected]

Aliases: WORM_HITON.A, W32/[email protected]
Variants: Win32.Hiton.A, W32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 02 Mar 2004
Damage: Low

Characteristics: The [email protected] is another member of the mass mailing Worm variant which is capable of scanning infected computer systems for the presence of email addresses. It uses the harvested email addresses to target remote machines via Simple Mail Transfer Protocol service usually by hijacking the user's email account. Normally the From line of the email message is spoofed while the file attachments vary from ZIP, EXE, PIF, SCR, or BAT file formats.

More details about [email protected]

The initial action of the [email protected] is to copy an instance of itself into the directory of the operating system using an executable file with a filename which closely resembles an authentic system process. It will also create an accompanying Dynamic Link Library file which may be used to hook certain application functionalities. The [email protected] will also engage in the modification of some Windows Registry key values in order to establish itself into the host machine as well as affect the functionality of the Web browser. The Worm will create two additional Dynamic Link Library files. One of the files is used by the [email protected] to store the email addresses it has retrieved from the infected machine while the other is a simple text file.

The [email protected] may overwrite any contents of the Windows Host file which pertains to any website that is identified with antivirus development or system protection. The malware will create a new folder with a System and Hidden attribute. The [email protected] will place an instance of itself into this folder using filenames that mimic legitimate antivirus applications. It will proceed to inspect the Windows Registry to find the exact location for Peer to Peer file sharing applications. The [email protected] makes use of its own Simple Mail Transfer Protocol engine to deliver a spiked email message to the collected email addresses.