[email protected]

Aliases: Email-Worm.Win32.Kebede.c, W32/[email protected], W32/Kedebe-C , Worm/Kebede.C
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 03 May 2005
Damage: Medium

Characteristics: This worm arrives through mail and drops a copy of itself in the Windows system folder when executed. It also modifies the registry to make sure it executes automatically every time Windows starts up. It is written in MSVB and packed with UPX. The worm terminates various processes in an attempt to prevent security measures.

More details about [email protected]

The mass-mailing worm [email protected] contains its own SMTP engine. It mails itself to email addresses extracted from files on an infected computer. The worm contains a backdoor, opens a port and listens for remote instructions from attackers. The worm has the ability to log keystrokes on the infected computer. It terminates several processes that are mostly security related. It also modifies the HOSTS file in an attempt to prevent different security products from updating. Then, the worm copies itself many times to folders on the infected computer using attractive filenames. Symptoms of infection include having copies of the worm with filenames such as Spyware remover.exe, Naked teen-Actions.com, Mydoom removal tool.exe, Microsoft AntiSpyware Patch.com, DVD ripper keygen.exe, Admin Password Cracker.exe, or Messenger 7.0 Installer.exe. Abnormal termination of other processes is also a sign of infection.

Copies of this mass-mailing worm can also spread through P2P networks by making copies of itself using different attractive file names to trick the user into downloading it. The [email protected] application copies itself in the file directory through a flaw in the computer’s security. It will typically look for computers whose administrator accounts have common log-in names and passwords. It is programmed with a set of user names and passwords to try in a computer. Sometimes, it will try to enter computers through several ports. Once it is able to find a match or locate a backdoor, it will create a copy of itself. It will place the file in the System32 folder or another hidden location. It may mimic the appearance of a legitimate application or a core system file to deceive users and the computer into thinking that it is safe. Once it takes the appearance of a particular file, the actual file is deleted from the system. The worm application may also add values to several registry keys to enable it to run when Windows starts.