[email protected]

Aliases: Win32.Wreckage.A, TROJ_YABE.B, Win32/Rechnung!Worm
Variants: W32/Bagle.AK-mm, W32/[email protected], W32/Bagle-AK, Trojan.Win32.Agent.jk

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 28 Sep 2005
Damage: Low

Characteristics: Belonging to a mass mailing Worm family, this malware makes use of Peer to Peer file sharing networks to deliver its infection to other computer systems. The payload delivery routine of the [email protected] includes the capability download malicious files and execute them locally in the compromised machine. The source of the files that are downloaded are usually websites which are also under the control of the malicious author.

More details about [email protected]

Aside from using Peer to Peer file sharing networks, this malware and some of its variants have the ability of using the email messaging service to spread its codes to other vulnerable computer systems. The [email protected] is known for executing a legitimate operating system process and injecting its codes into the process. It will then terminate the authentic system process and takes it place. This routine allows the W3[email protected] to mimic original system processes to avoid arousing user suspicion and avoiding detection of system monitoring tools. The [email protected] will create an executable copy of itself into the directory folder of the operating system. It will attempt to mix with legitimate system files to conceal its presence and complicate its removal from the infected computer system.

The [email protected] will modify the contents of the Windows Registry service by adding a new key value that will give it the functionality of automatically loading together with the operating system components. The Windows Registry will be used to bypass the active firewall protection system of the infected computer system. The [email protected] will contact predetermined websites to cause the downloading and local execution of malicious files. The downloaded files are normally identified by their double file extension. The [email protected] will harvest stored email addresses and target the remote systems by sending email messages with dangerous file attachments.