[email protected]

Aliases: Trojan-Dropper.Win32.Agent.yy , MultiDropper-OZ, Troj/Multidr-EP, WORM_LOOKSKY.A
Variants: Email-Worm.Win32.Locksky.a, W32/[email protected], Trojan.PWS.Vassay, Trj/Daemonize.AM, Troj/PWSteal-D

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, Australia, North and South America
Removal: Hard
Platform: W32
Discovered: 24 Oct 2005
Damage: Medium

Characteristics: The [email protected] belongs to a category of malware which are known for their mass mailing capabilities. These types of threats usually retrieve email addresses from the infected computer system in order to use them as targets for the spreading of its codes. This malware has also been observed to lower the security settings of the compromised machine to make it more vulnerable to other attacks.

More details about [email protected]

The [email protected] will drop an executable file into the directory folder of the operating system and launch it. It will create a backup file into the same folder where it was executed in case it does not successfully launch from the operating system's location. Additionally, it will extract various executable and Dynamic Link Library files to make sure that it can establish its presence in the infected computer system. The [email protected] uses some of the executable files to generate a Proxy and a HTTP server in the hijacked computer system. The filenames used by the executable files of the [email protected] malware are closely associated with legitimate operating system processes. This is normally done to prevent arousing user suspicion of its presence.

The [email protected] will create an INI and a LCK format file which are considered as safe. The INI file will be used to save stolen data from the host machine while the LCK is a zero byte file. The [email protected] adds its own key value into the Windows Registry to be able to load together with the operating system. The netsh command will be executed to try and go around the firewall security of the computer system. The backdoor component of the [email protected] malware will be executed using the TCP port 321. Keystroke logging is part of its payload.