[email protected]

Aliases: W32.Huegone, huegone
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, Europe, Australia, North and South America
Removal: Easy
Platform: W32
Discovered: 23 Mar 2007
Damage: Low

Characteristics: According to majority of antivirus developers, this particular Worm variant is designed to deliver Web browser hijacking functionality as its main payload. The Web browser is redirected by the [email protected] to a website possibly controlled by its malicious author. The [email protected] may enter a vulnerable computer system via spiked email message. The message sent by the [email protected] makes use of a randomly chosen subject line with an equally randomly generated filename.

More details about [email protected]

This particular malware variant was designed by its malicious author to target computer systems that operate at a specific language set. The [email protected] would normally on its initial execution verify whether the compromised computer system is using either the Persian of Arabic language. If the malware finds that it is neither, it will immediately terminate all of its routines. However, if the language set of the computer system meets the condition of the [email protected], it will proceed to generate two TMP format files into a temporary folder of the main hard drive. The two temporary files dropped by the [email protected] malware contain the instruction sets required by the malware to attain mass mailing functionality and spread its codes.

After it has installed the necessary file components into the infected computer system, the [email protected] will scan the address book of the default email client as well as contents of the address book of a popular Web mail host. The retrieved email addresses by the [email protected] from the two sources will be used as the next targets for its propagation routine. The [email protected] will send all the gathered email addresses a message that contains a copy of its codes. The subject and message body is chosen from a predefined list while the filename of the attachment is randomly generated.