Win32/Longbe.A, W32/Longbe.A.worm, I-Worm/Longbe.B, I-Worm.Longbe, Win32:Trojan-gen
Email-Worm.Win32.Longbe, Downloader-IA, Trojan.DownLoader.169, TrojanDownloader:Win32/Eupa, TROJ_SPOOLASA.A
Category: Computer Worm
Active & Spreading
10 Mar 2004
Using the Borland Delphi programming language along with the ASPack packing method, this malware was designed to discretely download and eventually execute malicious code into a vulnerable machine. The [email protected]
also has the functionality of creating an unsecured backdoor to provide unobstructed entry into the computer system. The backdoor feature gives the malicious author the capability of harvesting information from the infected computer system as well as controlling some of its functionalities.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Execution of the [email protected]
into a vulnerable computer system will prompt the creation of an executable file and a Dynamic Link Library file into the directory folder location of the operating system. Presumably the executable file will launch the infection routine while the Dynamic Link Library is used to hook certain functionalities of the operating system. The [email protected]
also adds a key value into the Windows Registry in order to gain the ability to automatically load when the operating system runs on every boot up or startup instance. After modification of the Windows Registry the [email protected]
create additional Dynamic Link Library files to further its presence into the infected computer system and support its other designed functionalities.
One of the Dynamic Link Library files is used by the [email protected]
to initiate its backdoor functionality which allows the remote malicious author to retrieve information from the infected computer system or send additional instructions to the malware. The other Dynamic Link Library file is a textual file used by the [email protected]
which is not inherently viral and cannot be detected as a threat. The [email protected]
will use the TCP port 6324 to listen for commands from the remote attacker or be used to support its mass mailing functionality. The Web browser may be redirected to malicious sites.