[email protected]

Aliases: Email-Worm.Win32.MsWorld, I-Worm.MsWorld, W32/[email protected], Win32.HLLW.MsWorld, Win32/[email protected] 
Variants: W32/MissWorld, WORM_MSWORLD.A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: Asia, South America, North America, Europe, Africa, Australia and New Zealand, Canada
Removal: Easy
Platform: W32
Discovered: 05 Jan 2001
Damage: High

Characteristics: The malware [email protected] is a mass mailing worm. It is written in the Visual Basic language. This worm utilizes the Macromedia Flash program’s presentation for masking its malicious purposes. This security risk likewise tries to alter the file autoexec.bat so it can format the drive C:\ when the system is restarted. It also tries to delete the some files in the Windows Registry.

More details about [email protected]

Upon being run in the victim machine, the [email protected] worm will check for the presence of the MS Outlook application. Once found, it will try to use it for propagating. When this worm is executed, it will display so-called Miss World pictures and then execute 2 Trojan routines. These pictures have sexy girls on them but with a man’s face. This worm uses the typical way for spreading and that is thru using the MS Outlook. This worm will scan the address book of the application and then collect 50 email addresses at the very least and then sends email messages to them. The sent messages have the subject ‘Miss World’ and the body ‘Hi and some random characters’. The exe file attached to this email message contains a copy of the worm. This worm is also known to append DOS batch commands to the last portion of the file autoexec.bat so that it will display a message.

The [email protected] worm will also attempt to format every local fixed drive and attempt to delete the system registry files plus the backups which include the files system.dat, system.da0, user.da0 and user.dat. However, since theses files are typically locked by the operating system for protection, the worm will most likely fail to delete them and will exit itself instead. The [email protected] program drops its core components on the Windows system folder. These files are used by the application as its main executable file. The same file is transmitted to the shared folders available on the network. The wmiprvsc.exe file is registered as a system service. This allows the program to execute automatically every time Windows boots up. The file is displayed on the computer as the Windows Update Process service.