[email protected]

Aliases: Jalabed.b, Worm.Jalabed,
Variants: Email-Worm.Win32.Jalabed.A, W32/Jalabed-A, [email protected]

Classification: Malware
Category: Computer Worm

Status: Active and Spreading
Spreading: Moderate
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 07 Jul 2006
Damage: Medium

Characteristics: This security threat is known for gathering email addresses stored in the target machine and sending a copy of its code to the addresses. The [email protected] mass mailing worm is capable of spreading via mIRC. This worm is also known for searching network drives and copying itself to any drive it can locate in the infected machine. This malware has backdoor capabilities and can thwart access to websites that it deems security associated.

More details about [email protected]

Once run in the infected computer system, this malware will create several files with varying file extensions such as .txt, .exe, .vbs, .txt.exe, and .doc.exe. It will then add a value to particular registry subkeys which will allow the worm to run whenever Windows starts up. The [email protected] worm then goes on to create an IRC .ini script file. This file will cause mIRC to keep track of every IRC channel currently being used. In the event that a new user joins one of the channels being monitored by the worm, a copy of the worm’s dropped files will be sent to the user via DCC. If a user replies with a message that has the strings ‘virus, worm, infected, Virii and Antivirus’, the script file will try to terminate mIRC.

The [email protected] worm also attempts to locate the transfer folder of KaZaa and copies itself in the same location. The filename it will use will come from a randomly generated list made by its remote author. It will also search the Windows Address book for contacts and then send its code as an attachment to all obtained email addresses. Next, it will try to find a specific HTML file and then attempt to overwrite it. The [email protected] worm application copies itself on the Windows system folder of the computer. This system file has read-only and hidden file attributes. The program also makes modifications on the system’s registry. It adds a registry key which enables the application to run automatically at every Windows start-up.