[email protected]

Aliases: Bloodhound.W32.VBWORM
Variants: W32/[email protected],W32/Lavehn-A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 19 Jul 2002
Damage: Medium

Characteristics: [email protected] is a mass-mailing worm. It spreads by sending itself to all addresses in the Microsoft Outlook Address Book. The email message contains “Subject: ADMISION 2003” and “Attachment: Unheval.exe.” The worm searches for files with the extensions .xls, .doc, .mdb, .mp3, .rpt, or .dwg in the infected computer and deletes them all.

More details about [email protected]

The worm [email protected] is a mass-mailing worm that uses addresses in the Microsoft Outlook Address Book to propagate. When the worm [email protected] is executed, it sends itself to all addresses in the Microsoft Outlook Address Book. The email message contains the following: “Subject: ADMISION 2003”, “Message: PROSPECTO DE ADMISION 2003”, and “Attachment: Unheval.exe”. This propagation email message does not change. Afterwards, the worm copies itself to the Windows System folder. When you start Windows, the worm sets Unheval.exe to run by adding a value to the registry. Modifying the registry ensures the worm that it launches every time that Windows starts. The worm also searches for files that have extensions .xls, .doc, .mdb, .mp3, .rpt, or .dwg. When it finds these files, it deletes them.

Since the email used to propagate the worm does not changed, it can be stopped. It can be stopped at the Internet email gateway by blocking all messages which contain “Subject: ADMISION 2003” and “Attachment: UNHEVAL.EXE”. The components of [email protected] are placed in the Windows or System folder. An executable file is created as a program copy. This is registered as a startup process. It also loads a DLL (Dynamic Link Library) module to the system. The DLL file is registered as a browser component. This gives the application access to the Internet Explorer’s (IE) resources. Web browsing done with IE will also be recorded and monitored.