[email protected]

Aliases: W32/Keco.worm, WORM_KECO.A, Win32.Keco.A, I-Worm.Keco
Variants: Email-Worm.Win32.Keco.e, I-Worm.Keco.e, W32/Keco.worm.gen 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North America, South America, Asia, Europe, some parts of Africa and Australia
Removal: Hard
Platform: W32
Discovered: 08 Mar 2004
Damage: Low

Characteristics: The [email protected] malware is a mass mailing worm that may also exhibit some backdoor capabilities. This worm propagates by using its own Simple Mail Transfer Protocol or SMTP engine. It will email its code to all addresses it can locate in the infected computer system. The email’s subject will vary and the infected attachment will in the .ZIP file extension.

More details about [email protected]

Once the worm is run in the compromised computer, it will copy itself to the system as an executable file. It will alter the registry and modify the boot section’s line of the file System.ini to make sure that it will executed when Windows is launched. It will then go on to create a mutex so that only a single instance of the malware is running at any given time and display a pop-up dialog box. This worm will likewise create a .TXT file that will contain offensive messages to other worm authors. Next, it will again make copies of itself with the extensions .exe, .cmd, .scr, .com, .pif and .bat and then create a ZIP file out of the created files. It then creates an email message with varying subjects and a ZIP file as attachment.

This security risk can also sequentially open the 1025 and above TCP ports. It also tries to establish a connection with a predetermined IRC server that uses the 6667 TCP port. The usernames will also vary but will always end with the domain,@foo.bar. To purge this security threat’s infection, open the Windows Task Manager and end the malware program’s process. Locate the malicious file WinShellb.exe and all files associated to the malware in the Processes Tab and then click End Process. All registry entries made the worm will also have to be deleted. Go to the System Configuration Editor by going to Start, then Run, type in SYSEDIT, and then enter. In the editor, choose the window SYSTEM.INI and then find the line Shell="Explorer.exe WinShellb.exe." exe in the same line and then delete it.