[email protected]

Aliases: [email protected], W32/Mylife, Win32/[email protected] 
Variants: Email-Worm.Win32.Mylife.a, I-Worm.Mylife.a, Win32.HLLM.Generic.16, W32/MyLife A 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Hard
Platform: W32
Discovered: 07 Mar 2002
Damage: Medium

Characteristics: The worm [email protected] is a mass mailing malware that can send its code to all the contacts it can find in the infected system’s Microsoft Outlook address book. This security risk is written using Microsoft’s programming language Visual Basic and is compressed using UPX. Once it has penetrated a target machine, the worm will try to delete files that have the .sys, .com, .exe, .ini, .dll or .vxd file extensions.

More details about [email protected]

This mass mailing worm spreads across networks as an attachment to infected email messages. The email messages accompanying its code have various subjects and messages. Once a user downloads and then installs the attachment that contains the worm in his computer, the worm begins to infect the system. When the [email protected] worm is run for the first time in the target machine, it will display a window with a photo on it. When users close this window, the worm will begin to execute its payload. When this worm installs itself to a victim machine, it will copy itself as file with the .scr extension and then register an autorun key in the registry. It will then locate the presence of the Microsoft Outlook application on the machine and then obtain email addresses from there.

The payload of the [email protected] worm will commence by checking the system’s current date. In the event that the current system minute’s value is more that 45, it will move on to the next step of its payload. It will attempt to delete files stored in the C:\ drive with the extensions .com and .sys, files stored in the Windows directory with the .ini, .com, .exe and .sys extensions and files stored in the Windows System directory with the extensions .exe, .vxd, .sys and .dll. The [email protected] worm also has the ability to monitor the activities of the user without his knowledge and it is not discernible in the log of running applications. The computer as well as the user is at risk once this utility has been launched. A remote attacker may also use the user’s personal information and data for malicious purposes and may even include the compromised computer in bot networks.