[email protected]

Aliases: Win32.Mugly.A, Worm.Win32.Wurmark.a, W32/[email protected], WORM_MUGLY.A
Variants: Email-Worm.Win32.Wurmark.d, [email protected], [email protected], W32/Wurmark

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 02 Dec 2004
Damage: Medium

Characteristics: This worm is an email worm that utilizes its own Simple Mail Transfer Protocol or SMTP engine to propagate its code. It sends its code as an attachment to email addresses it has collected from the infected computer system. The [email protected] malware is also known to drop and execute a variant of the W32.Spybot.Worm and will try to open up a back door in the affected machine.

More details about [email protected]

The [email protected] is a mass mailing memory resident worm that arrives on the infected machine as an email attachment. When it executes in the machine, it will drop a copy of itself as a .TMP file and will also drop several other files. Among the files dropped by the malware is a ZIP file which is the worm’s compressed copy, an EXE file which is a copy of the W32.SdBot.Worm, a JPG file that is not malicious and 2 DLLs – one is its SMTP mailing engine and the other one is a typical archive engine. It will likewise drop a SYS file which is an unpacker component that will be used by the worm for registering the SVK Protector. This SVK Protector is used by the worm for unpacking one of its several dropped files that is packed using SVKP.

This mass mailing worm also create registry entries to allow its dropped EXE file to run during startup. This file will create a service. The worm will then register its SMTP engine by creating more registry entries so that it can carry out mass mailing. The [email protected] worm will try to locate target email recipients from files that have the extensions asp, adb, doc, dbx, html, htm, sht, php, txt, tbb and wab. It will however avoid sending messages to email addresses containing security related strings. The worm is also known to exploit the Windows LSASS and RPC DCOM vulnerabilities. It also connects to a predefined server and opens up arbitrary ports to wait for instructions from its remote author. When executed in the machine, this worm will display its dropped JPG file which is a picture of a man with a contorted face.