[email protected]

Aliases: I-Worm.Kergez.c, W32/Kergez.worm, Backdoor.Kergez, Win32.HLLW.Kergez.2, Troj/Kergez-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: N/A
Geographical info: North America
Removal: N/A
Platform: W32
Discovered: 06 Aug 2003
Damage: N/A

Characteristics: [email protected] is a mass-mailing worm that propagates itself through email addresses in files with .asp, .htm, and .php extensions. The email messages will contain: Subject: Re: New Security Vuln and Attachment: Virus_Guard.exe. The worm is Microsoft Visual C++ written and UPX packed.

More details about [email protected]

[email protected] is a mass-mailing worm that spreads through email. It specifically spreads by sending email messages to email addresses it finds in files that have the extensions .asp, .htm, and .php. After [email protected] is executed, it may copy itself to %Windir%\Kangaroo.exe and %System%\Internat67.exe. It may also add values to the registry to ensure that it runs every after Windows starts up. The worm attempts to terminate certain processes especially those related to security processes (e.g. Firewall, Alarm, Secure, Clean, Anti, etc). The worm sends itself to all the email addresses it finds in files that have .asp, .php, and .htm extensions. The email messages contain the subject “New Security Vuln”, a body that contains the message “Are you vulnerable to identity theft…”, and an attachment named Virus_Guard.exe.

The worm [email protected] can be manually removed from the system. First of all, the System Restore function must be temporarily disabled to ensure effective virus removal. Then, update the virus definitions. Use a reliable antivirus software program to run a full system scan on the computer. Delete all files that are detected as [email protected] Edit the Win.ini file. Reverse any changes made in the registry. Before making any changes in the registry, it is advised that you back up the registry. Mistakes in the registry can have serious consequences like permanent data loss or corrupted files. Reboot the computer and rescan the system to double check if the threat has been totally eliminated.