[email protected]

Aliases: Trojan-Proxy.Win32.Jubon.a, W32/Jubon.worm, W32/Jubon-A, Win32/HLLW.Jubon.A, WORM_JUBON.A
Variants: Worm/Jubon.1, I-Worm/Jubon.A, TrojanProxy.Win32.Jubon.a 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 05 Jan 2004
Damage: Low

Characteristics: The [email protected] malware is an email worm that can email its code to users of specific domains. The email message’s details will be extracted from a predefined hard coded site. This malware is able to open up a backdoor in the infected system. This backdoor can be used by other security risks to get into the compromised machine. The backdoor may likewise be utilized by the malware’s remote master to for communicating with it and for sending instructions that pertain to commands that will be carried out by the malware.

More details about [email protected]

When the [email protected] worm run, it will copy itself to the computer and then add a value to a particular registry key so that the worm will execute along with Windows. The worm will retrieve an executable file and then run it. This exe file is responsible for the malware’s email distribution. It will then retrieve 2 .INI files which will indicate the email message’s details. This worm is also capable of connecting to several servers on port 25 by using its own Simple Mail Transfer Protocol or SMTP engine and sending infected email messages to randomly selected users of specific domains. It will then configure another value in the registry. The worm will likewise retrieve and run an updated version of itself but with a different filename.

This security threat also comes with a Trojan component. Together with this Trojan, the worm will drop an .INI file that will contain critical details about the file downloaded by the worm. The [email protected] worm application has backdoor functions. The opening created by the program allows remote users to gain unauthorized access on the computer’s resources. An unauthorized remote user may also send instructions to the computer through the ports opened by the application. These remote commands may include deletion of files, modification of system settings and termination of running processes. The remote instructions are sent via Internet Relay Chat (IRC) channels.