[email protected]

Aliases: Win32.Maldal.C, [email protected], [email protected], Virus Profile: W32/[email protected], I-Worm.Keyluc
Variants: Win32/Maldal.A.Worm, Win32/Maldal.C.Dropper, Win32.Reeezak, W32/Zacker.C

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: North and South America, Europe
Removal: Easy
Platform: W32
Discovered: 19 Dec 2001
Damage: Medium

Characteristics: Considered as a type of mass mailing Worm, this malware makes use of the default email client of the operating system in order to spread its infection to other computer systems. The [email protected] is capable of hijacking the Web browser by modifying the original homepage to one that is specifically chosen by the malicious author. The homepage used as default is closely associated with another potentially dangerous application that can exploit the active Internet connection.

More details about [email protected]

Since this particular malware was written using the Visual Basic programming language, it requires the execution of the Visual Basic runtime libraries in order to correctly run its intended routines. The [email protected] will retrieve all the email addresses of the contacts found in the default email client. These addresses will be targeted by the malware to spread its codes. The recipients will get an email message with the subject "Happy New Year" and an executable file attachment associated with the [email protected] malware. The Windows Registry will be modified to replace the computer name to a value pre-selected by the malicious author. The [email protected] will display the text "From the heart. Happy new year !" on the screen and freezes the keyboard.

The [email protected] will replace the default homepage with a malicious website which when clicked by the unsuspecting computer user will redirect the Web browser to cause the downloading of a malicious Visual Basic Script file. Once successfully downloaded the file will be executed by the [email protected] into the vulnerable machine. The new VBS format file will create a new HTM file into the directory folder of the operating system and target files that use the ASP, HTML, and HTM extension. A political message will be displayed on the screen and the [email protected] will attempt to illegally terminate the operating system.