[email protected]

Aliases: Trojan-Spy.Win32.Banker.lbm, TR/Dldr.Delphi.Gen, Mal/Generic-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: South and North America, Europe, Asia
Removal: Easy
Platform: W32
Discovered: 27 Jul 2007
Damage: Medium

Characteristics: The [email protected] security risk is a mass mailing worm. This worm can email users’ contacts on MSN Messenger with a bogus e-card greeting. This worm also waits for an Internet connection and then tries to retrieve potentially risky files and run them in the infected computer system. This malware can be acquired by downloading files from random websites or dropped by other security risks.

More details about [email protected]

Once run in the compromised machine, the [email protected] worm will create some files with the file extension EXE and then try to retrieve files from websites. These websites are predetermined by the worm’s creator. The worm will likewise create some registry entries so that it will automatically execute upon system startup. This security threat will likewise exhibit a phony login window of the MSN Live Messenger and will record usernames and passwords typed on the phony login window. The stolen data will then be saved in a TEXT file. When the worm has gathered the usernames and passwords, it will close the phony window and the launch the real MSN Messenger application. When a user logs in, the [email protected] worm will likewise record the MSN contact list to the TEXT file and then send it through email to its creator.

The [email protected] malware then proceeds to send infected emails to the gathered contacts stating that they have just received an e-card. The email subject and message will be in Spanish, with the message containing links to dubious websites. Once users click on the websites, they will be prompted to install Adobe Flash’s most recent version to view the e-card. The website is not a valid link for downloading Adobe Flash’s recent version but a duplicate of the worm. The worm also attempts to connect to remote locations for downloading configuration files. To remove the worm’s infection, you have to first terminate its running process in the Windows Task Manager. Once terminated, turn off the feature System Restore on Windows XP and ME to permit complete scanning of the compromised machine. Next, delete all registry entries added by the malware and then search for the malware’s other dropped files by using the Search function of Windows.