[email protected]

Aliases: Bloodhound.W32.VBWORM, I-Worm.generic, W32/[email protected]
Variants: [email protected]

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: Europe, South America, North America, Asia
Removal: Hard
Platform: W32
Discovered: 10 Jul 2003
Damage: Low

Characteristics: The [email protected] worm is a mass mailing. This worm searches a target computer system for the presence of the Microsoft Outlook. Once the application is found, the worm will gather email addresses stored in the address book of Outlook and then send its code to all the gathered email addresses. This worm may also have the ability to download additional security risks to the infected machine.

More details about [email protected]

When first run in the infected computer, the [email protected] worm will display messages in the German and Spanish languages. It will then proceed to copy itself as an executable file. This worm will also try and locate the file defrag.exe and once it has found it, will delete it. It likewise looks out for scr, ini, Yahoo Messenger, Norton and other security related files and then attempt to delete them. This security risk then proceeds to send copies of itself as attachments to emails. It will send these to all email addresses it has obtained from the address book of Microsoft Outlook. The emails are either titled ‘e-card’ or something like ‘technical support’. The worm might likewise exhibit the message ‘Error 0251d2 Please See Technical Support’.

The [email protected] worm program opens an unused system port. It creates a backdoor to connect to an IRC server. The application will then enter an IRC channel. It will appear to others as another logged-in user. The worm software author specified this channel. The application waits to receive commands from logged-in users. The program may be instructed to execute certain actions in the infected computer. It can monitor the user’s actions and send them via e-mail or FTP (File Transfer Protocol) transfer. Keystrokes and screenshots can be captured. Programs may be opened and minimized unexpectedly. Additional malicious software may be installed and executed in the infected system.