[email protected]

Aliases: W32/[email protected] 
Variants: W32/MyPower-B, Win32/[email protected], WORM_MYPOWER.B, Worm/MyPower 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Fast
Geographical info: N/A
Removal: Easy
Platform: W32
Discovered: 30 Apr 2002
Damage: Low

Characteristics: This security risk is a mass mailing worm that is capable of sending itself to addresses it can collect from the address book of Microsoft Outlook. The infected email message that will be sent by the [email protected] worm will have random subjects, attachments and messages. The attachment which will harbor the worm’s malicious code will have the .scr file extension. This worm will likewise copy its code to the victim machine as nine different files with the .scr extension, and to the drive A:\ as one .scr file.

More details about [email protected]

Upon executing in the host computer system, the [email protected] worm will display an official looking but fake message with the title ‘Installation Problems’. It will then insert a text into the Win.ini file. Afterwards, this security threat will make multiple copies of itself on the system as files with the .zip.scr file extension. The worm will then proceed to send itself to the addresses it has obtained from the address book of Microsoft Outlook to propagate itself. Once an unsuspecting user has downloaded the attachment from the infected email and then ran the file, the worm will load in the user’s system and then begin its routine once again. This worm may also have backdoor capabilities that will allow it to communicate with its remote author.

When the [email protected] malware has sent copies of its code via email, it will then begin to delete all the copies it has dropped in the compromised machine with the exception of the .scr file it dropped in the drive A:\. It will then insert another text in the Win.ini file. It will likewise add a value to the registry to allow it to launch when Windows starts. The [email protected] program typically arrives on a machine with a contaminated e-mail message. The infection takes place when the user runs the attachment. If a typical mass-mailer is stimulated, it installs its duplicate file to the system and generates a startup key for itself in the registry of Windows. It then resides active in the computer’s memory. If it is still active, the mass-mailer looks for specific files like HTML files on all accessible hard disks for several e-mail addresses. And finally, it attaches to an available mail server and transmits itself to every address it has found.