Category: Computer Worm
Active & Spreading
19 Jul 2002
Characteristics: [email protected]
is a mass-mailing worm. It spreads by sending itself to all addresses in the Microsoft Outlook Address Book. The email message contains “Subject: ADMISION 2003” and “Attachment: Unheval.exe.” The worm searches for files with the extensions .xls, .doc, .mdb, .mp3, .rpt, or .dwg in the infected computer and deletes them all.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
The worm [email protected]
is a mass-mailing worm that uses addresses in the Microsoft Outlook Address Book to propagate. When the worm [email protected]
is executed, it sends itself to all addresses in the Microsoft Outlook Address Book. The email message contains the following: “Subject: ADMISION 2003”, “Message: PROSPECTO DE ADMISION 2003”, and “Attachment: Unheval.exe”. This propagation email message does not change. Afterwards, the worm copies itself to the Windows System folder. When you start Windows, the worm sets Unheval.exe to run by adding a value to the registry. Modifying the registry ensures the worm that it launches every time that Windows starts. The worm also searches for files that have extensions .xls, .doc, .mdb, .mp3, .rpt, or .dwg. When it finds these files, it deletes them.
Since the email used to propagate the worm does not changed, it can be stopped. It can be stopped at the Internet email gateway by blocking all messages which contain “Subject: ADMISION 2003” and “Attachment: UNHEVAL.EXE”. The components of [email protected]
are placed in the Windows or System folder. An executable file is created as a program copy. This is registered as a startup process. It also loads a DLL (Dynamic Link Library) module to the system. The DLL file is registered as a browser component. This gives the application access to the Internet Explorer’s (IE) resources. Web browsing done with IE will also be recorded and monitored.