[email protected]

Aliases: W32/MoonLight.worm, W32/Vetor-A, Email-Worm.Win32.Brontok.N, Win32/Lightmoon.K
Variants: Trojan.Win32.Inject.olw, PE_VIRUT.XL, Virus:Win32/Virut.gen!L, Win32/Xema.worm.56320.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 13 Feb 2007
Damage: Low

Characteristics: Consistent with the characteristics of majority of mass mailing Worms, this particular variant harvests email addresses which are stored in the host computer system. These gathered email addresses are used by the [email protected] to target other potentially vulnerable machines by sending a copy of its code. It may download files from malicious websites and execute them locally to complicate the infection. The newly introduced threats can negatively impact overall computer system security.

More details about [email protected]

Initially there are two types of files that are created by this malware. It first creates a screensaver type file along with a command file. These files are stored by the [email protected] in the operating system directory and the user's profile directory respectively. Once these initial file components have been successfully introduced into the compromised machine the malware will proceed to drop additional files that make use of the CMD, SCR, and EXE file extensions. These files are distributed by the [email protected] in various locations in the hard drive. Some of these filenames may use randomly generated numbers, letters, or a combination of both. Two additional text files with the extension DLL and TXT are generated by the [email protected] malware.

The [email protected] creates a new key value in the Windows Registry to include an instance of itself in the Startup group of the operating system. The Windows Registry is also used to negatively impact the functionality of the Registry Editor and System Configuration tools of the computer system. When a computer user attempts to launch any of these system tools, the [email protected] will open them in the text editor tool of the operating system. The [email protected] will scan the contents of the Windows Registry to look for specific predetermined text strings. It also deletes files that contain particular text.