Aliases: W32/Matcher, I-Worm.Matcher, W32/Matcher.A-mm, W32/[email protected], Win32:Matcher
Variants: Email-Worm.Win32.Matcher, Win32/Matcher.28672, W32/[email protected], W32/Matcher-B, Win32.HLLW.Matcher.28672

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: North and South America, Europe, Asia, Australia
Removal: Easy
Platform: W32
Discovered: 18 Apr 2001
Damage: Low

Characteristics: Similar to the characteristics of most Worm variants, the W32.Matcher.Worm usually arrives in a vulnerable computer system as a type of executable file attachment from a malicious email message. It attempts to harvest email addresses from the contacts list of the default email client of the operating system. This particular Worm enters into an endless email sending loop as long as its process remains active in the system background.

More details about W32.Matcher.Worm

According to some computer security experts the W32.Matcher.Worm appears to be based on the Melissa Worm primarily because of the similarities in how the sequence of instructions as well as the functions are arranged in their source codes. This threat begins its execution in an infected computer system by placing a 32-bit executable file into the same location as the operating system files. The W32.Matcher.Worm will proceed by modifying the contents of the Windows Registry by including a new key value entry. This entry is used to instruct the Windows Registry service on the exact location of the malware's executable file in the hard drive. The W32.Matcher.Worm will also generate a corresponding key value that will allow it to be loaded by the operating system.

The W32.Matcher.Worm will begin an infinite email sending loop by targeting all contacts found in the default email client application of the operating system. The email message makes use of the "Matcher" subject line accompanied by an executable file that uses a filename that is the same as the subject line. The message body sent by the W32.Matcher.Worm implies that the attached file is a program that can be used to search for a love match. This is consistent with the characteristics of most Worms that require user intervention to deliver its payload. The W32.Matcher.Worm modifies the system's batch file.