[email protected]

Aliases: Trojan.Win32.Smith, Smith, Trojan.Smith, Trojan:Win32/Smith.A, TROJ_SMITH.A 
Variants: Trojan.Smith.A, Trojan.Smith-1, Trj/Smith.A, Win32/Smith.A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 04 Jul 2004
Damage: Medium

Characteristics: The mass mailing worm [email protected] utilizes its own Simple Mail Transfer Protocol (SMTP) engine for sending its code to email addresses it can locate in the victim machine. This worm will also modify several system configurations and make additions to the registry to make its code hard to remove from the host machine.

More details about [email protected]

When this worm executes in the infected computer system, it will copy itself to the system as one of its predetermined ten .exe filenames. It incessantly alters the display configuration to different graphics modes which can cause the screen to flash, switch on and off or blink. It will then proceed to alter the registry by deleting and adding values to specific registry keys. This malware can set eleven registry values to one registry key to make it difficult for users to detect its presence. Next, the [email protected] worm will inspect the local hard disk to gather email addresses. These email addresses will be used by the worm for sending copies of its code. The worm’s malicious code is allegedly contained within the email’s attachment.

The infected email that will be sent by the [email protected] worm will be from a spoofed email address or from a specific email address. When the email address of the sender is spoofed, it will be made up of a combination of random strings from a predefined list. The message body of this email will contain Chinese characters around 5 to 6 lines long while the attachment’s filename will also be selected from a predetermined list. To remove the infection of this security risk, disable the option System Restore and then download a utility that can restore the registry editor’s use. Terminate the malware program via the Task Manager and the restart the system. Run the downloaded utility and restore the modifications done to the registry. Search for all the malware’s dropped files and then delete immediately upon detection.