[email protected]

Aliases: WORM_IXAS.A, W32/[email protected], W32/[email protected], I-Worm/Ixas, Win32:Ixas 
Variants: Email-Worm.Win32.Ixas.a, I-Worm.Ixas.a, HLLM.Ixas.2, W32/Ixas-A, Win32/[email protected] 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North America, South America, Asia, Europe, some parts of Africa and Australia
Removal: Hard
Platform: W32
Discovered: 17 Feb 2003
Damage: Low

Characteristics: The mass mailing worm [email protected] utilizes its very own SMTP or Simple Mail Transfer Protocol engine for sending itself to every contact in the compromised system’s Windows address book. This worm can also send itself to email addresses it has gathered from incoming mails. This worm and all its variants are written in the Microsoft programming language C++ and packed with either UPX or ASPack.

More details about [email protected]

Upon executing in the infected machine, the worm will check the system for a certain registry entry. If the entry is located, the [email protected] worm will automatically terminate itself. However, when the said entry is not in the system, the worm will create a registry entry with a filename randomly selected from its dropped files. This entry will serve as the malware’s marker for infection. It will likewise drop a copy of itself having the Exe file extension. This security threat will also create a startup registry entry to make certain that it runs upon Windows startup. It spreads by using MAPI or Messaging Application Program Interface by querying a specific registry entry. The registry entry has the path where the DLL file used by the worm is located. The API (application program interface) functions of the DLL are used by the worm for sending copies of itself.

The [email protected] worm can also create files that have the same base filename of its dropped copies but without the file extension; as in from xxx.exe to xxx only. It will also store all the email addresses of the recipients of its infected email. To completely clean the computer of the worm’s infection, end the worm’s running process through the Windows Task Manager. You can try looking for it in the task manager’s list of processes and when located, choose the option end process. You can also search for the other files dropped by the [email protected] worm by using the Search function of Windows. Next, proceed to edit the Registry and delete the entries made by the worm.