[email protected]

Aliases: Win32/Longbe.A, W32/Longbe.A.worm, I-Worm/Longbe.B, I-Worm.Longbe, Win32:Trojan-gen
Variants: Email-Worm.Win32.Longbe, Downloader-IA, Trojan.DownLoader.169, TrojanDownloader:Win32/Eupa, TROJ_SPOOLASA.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 10 Mar 2004
Damage: Low

Characteristics: Using the Borland Delphi programming language along with the ASPack packing method, this malware was designed to discretely download and eventually execute malicious code into a vulnerable machine. The [email protected] also has the functionality of creating an unsecured backdoor to provide unobstructed entry into the computer system. The backdoor feature gives the malicious author the capability of harvesting information from the infected computer system as well as controlling some of its functionalities.

More details about [email protected]

Execution of the [email protected] into a vulnerable computer system will prompt the creation of an executable file and a Dynamic Link Library file into the directory folder location of the operating system. Presumably the executable file will launch the infection routine while the Dynamic Link Library is used to hook certain functionalities of the operating system. The [email protected] also adds a key value into the Windows Registry in order to gain the ability to automatically load when the operating system runs on every boot up or startup instance. After modification of the Windows Registry the [email protected] create additional Dynamic Link Library files to further its presence into the infected computer system and support its other designed functionalities.

One of the Dynamic Link Library files is used by the [email protected] to initiate its backdoor functionality which allows the remote malicious author to retrieve information from the infected computer system or send additional instructions to the malware. The other Dynamic Link Library file is a textual file used by the [email protected] which is not inherently viral and cannot be detected as a threat. The [email protected] will use the TCP port 6324 to listen for commands from the remote attacker or be used to support its mass mailing functionality. The Web browser may be redirected to malicious sites.