[email protected]

Aliases: Win32.Holar, W32/Holar-A, I-Worm.Holar, W32/[email protected], WORM_HOLAR.A
Variants: Email-Worm.Win32.Holar.a, W32/[email protected], W32/Holar.gen, Win32.HLLM.Generic.76, Win32:Trojan-gen

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 31 Jul 2002
Damage: Low

Characteristics: Belonging to the mass mailing Worm category, the [email protected] makes use of the address book contents to send its codes to potential victims. Normally this malware may rely on its own Simple Mail Transfer Protocol engine or the default email messaging client of the infected computer system. Aside from email messages, this malware can spread to other computer systems using network shares, Internet Relay Chat, or Instant Messaging.

More details about [email protected]

On initial execution, the [email protected] will place a copy of itself into the directory folder of the operating system. The dropped file normally has a randomly generated filename but will carry either a SCR or PIF file extension. The Worm will generate additional files which will serve as Web server components, storage for Multipurpose Internet Mail Extensions of the Worm, and an iFrame instruction container which can redirect the Web browser to an EML format file stored in the hard drive. The [email protected] may also extract its codes into HTML and HTM format files by using the same EML file. The Windows Registry will be modified by the [email protected] to allow it and its Web server component to load automatically on boot up or restart.

The [email protected] would begin to scan the contents of the address book of the email client as well as HTM and HTML files to retrieve email addresses. The Worm will target these email addresses by retrieving the SMTP address and Proxy address from the Windows Registry of the compromised computer system. The email message sent by the [email protected] has a blank message body with the filename of the attachment being the same as the text in the subject line. The [email protected] has been observed to exploit MIME vulnerability allowing infection when the message is previewed or read by the recipient.