[email protected]

Aliases: W32/Midlak.A, I-Worm.Midlak, WORM_MIDLAK.A, Win32:Midlak-UPX, [email protected]
Variants: Email-Worm.Win32.Midlak, W32/Generic.worm.b, Win32.HLLM.Generic.270, W32/Klam-A, Win32/HLLW.Klam.A

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 27 Nov 2003
Damage: Low

Characteristics: The [email protected] is a mass mailing Worm variant that was packed using the UPX method. It is designed to make use of various transport mechanisms to spread its infection to other vulnerable computer systems. Among the identified media used by this malware include email messaging, Internet Relay Chat, and Peer to Peer file sharing networks among others. It delivers a payload of stealing sensitive data and deleting system critical files from the host machine.

More details about [email protected]

During the initial execution of the [email protected], it will attempt to create a copy of itself in the root directory of the main hard drive pretending to be a screensaver file of one of the popular Hollywood actresses. It proceeds by scanning for the presence of the shared folder associated with a Peer to Peer file sharing client. When found the [email protected] will create multiple instances of its files into the folder using either the EXE or the SCR file format. Simultaneously it will overwrite the initialization file of the Internet Relay Chat client if available. The [email protected] will also drop legitimate DLL, VBS, TMP, and TXT files which are intended to provide it with the ability to harvest addresses and send email messages.

The automatic loading feature of the [email protected] is installed in the Windows Registry by the creation of a new key value. It scans for specific file extensions which are believed to store additional email addresses that can be attacked. The [email protected] will send an email message presumably to its malicious author to report the successful infection of the host computer system. The [email protected] will then retrieve from the Windows Registry the user's email address and use this to send messages with a malicious file attachment to all harvested contacts from the infected machine. It deletes INI, EXE, and SYS files.