[email protected]

Aliases: Email-Worm.Win32.Joot.a, I-Worm.Joot.a, Win32/[email protected], WORM_JOOT.A, Win32/Joot.A 
Variants: W32/Joot!p2p, Win32.HLLW.Joot, Worm Generic 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 04 Jun 2004
Damage: Medium

Characteristics: The mass mailing worm [email protected] is capable of sending itself to email addresses it can locate in the victim computer. This worm also tries to propagate via open shares and P2P file sharing networks such as Grokster, KaZaa and iMesh. It also attempts to terminate several processes of some firewall and antivirus applications. This security risk is written in the programming language C++ and it is packed using UPX.

More details about [email protected]

When executed in the victim machine, the [email protected] worm will copy itself in the system. This copy of the worm will be run on a new virtual desktop and will then be injected to a process space. Next, the worm will create the “G4Mjoohtaeckz” mutex so that only a single copy of the malware will run at a given time. The worm will also attempt to find the shared folders location of the applications KaZaa, Grokster and iMesh and then copy itself to them with several different filenames. It will then try to terminate processes related to antimalware and security applications. The [email protected] worm is also capable of modifying the registry so that it can execute every time that the Windows operating system boots up.

The security risk also looks for email addresses in files that have the extensions .htm, .html, .bak and .tmp. While the worm looks for email addresses, it will try to delete files that it detects as related to security applications installed in the machine. It then attempts to send its code to all addresses it has located utilizing email account information it has obtained from the registry. It will also try to add its code to the system.ini’s file boot segment and to the Win.ini’s file “run=” line which will allow it to run at startup. It will also alter a host of registry values to aid in its propagation. Remove the [email protected] worm’s traces by disabling System Restore, restarting the system in VGA or Safe mode and then searching and deleting files the worm has dropped. Proceed to reverse the modifications done to the registry and then edit the System.ini and Win.ini files.