[email protected]

Aliases: N/A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 20 Dec 2006
Damage: Medium

Characteristics: [email protected] is a mass-mailing worm. It infects Windows systems and propagates through email. This particular worm attempts to steal banking information from the infected computer.

More details about [email protected]

The mass mailing worm [email protected] spreads through email. The subject of the email will be any of the following: hello, Re:hello, postcard, how are you?, Nissan skyline. The body of the email will be any of the following: helo dear friend, nissan skyline is cool!, You have got the postcard from your friend. The name of the email will be any of the following: cool.scr, work.exe, coolcar.scr, clickme.exe, behappy.scr. When run, the worm executes the fileojsps.exe if it exists. The worm creates a mutex called wkoddr1. It gathers email addresses from files with the extensions: adb, asp, dbx, eml, fpt, inb, mbx, php, pmr, sht, tbb, htm, txt, and wab. The worm attempts to steal banking information when a user visits certain URLs. The stolen information is then sent to another URL.

The W32.Koddr[email protected] program may be spread via e-mails or instant messages. It may be labeled as a software patch or e-card. This is so users will allow it access to the computer. The application may be in a link or file attachment. Downloader software, peer-to-peer (P2P) file sharing networks, IRC as well as freeware and shareware websites may spread the infection too. The malicious file may be posted on gaming forums and websites as game patches or updates. This allows the malware program author to target players of certain games.