[email protected]

Aliases: W32/Roaller.B, W32/Roaller.worm.gen, [email protected], Worm:Win32/[email protected], Worm.Mail.Roaller.b
Variants: W32.Logex.B, Email-Worm.Win32.Roaller.b, Email-Worm.Win32.Logitall, [email protected], Worm:Win32/[email protected]

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 01 Oct 2003
Damage: Low

Characteristics: Typical with the characteristics of mass mailing Worms, the [email protected] will harvest email addresses stored in the infected computer system. These email addresses become the target of the malware where it will send a copy of its codes to spread its infection. It will connect to a predetermined FTP server assigned by the malicious author to upload information about the compromised machine. The stolen data may be used to launch an attack on other networks.

More details about [email protected]

The [email protected] unlike many malware creates its own folder rather than use the directory location of the operating system. This folder of the malware is used to store a log file which is actively updated by the malware as it continuously runs on the infected machine. Another text file is generated by the [email protected] in the directory folder of the operating system. This other text file is used to store stolen system specific data gathered by the malware. The [email protected] will verify the system date and if its value is later than September 2003, the malware will terminate. An executable file is dropped into the root directory of the main hard drive if it is not yet present.

The [email protected] will attempt to automatically load on system startup by modifying the contents of the Windows Registry and adding its own key values. The malware will initiate a connection to a remote server to check for code updates that the author may have done. The [email protected] will scan the hard drive for PWL and DOC format files along with email addresses and cached passwords. Any data that is retrieved is stored by the [email protected] into its previously created log file. The malware will scan for available MAPI connections and use its SMTP engine to send itself to predetermined addresses.