[email protected]

Aliases: [email protected], I-Worm.Naked, W32/[email protected], WORM_NAKED.A, W32/Naked
Variants: Win32.HLLW.Naked, Win32/[email protected], W32/[email protected], I-Worm/[email protected] 

Classification: Malware
Category: Computer Worm

Status: Inactive
Spreading: Moderate
Geographical info: South America, North America
Removal: Easy
Platform: W32
Discovered: 06 Mar 2001
Damage: High

Characteristics: The mass mailing worm, direct action [email protected] worm is a malware that masks itself as a Flash movie file. This malware will gather email addresses from the compromised system’s Outlook address book and then send infected mails to the gathered addresses. After its mass mailing routine, the worm will then try to delete some system files which can cause the system to be defective, necessitating a re-installation of the operating system.

More details about [email protected]

Once a recipient clicks on the attachment of the infected email, the worm will send its copies via email and then begins to delete files. The files targeted by the worm for deletion include those with the file extensions .com, .exe, .dll, .bmp in the directory of Windows and the files with the extensions .bmp, .exe, .dll, .log and .ini in the system directory. The [email protected] worm doesn’t install itself in the victim machine and doesn’t register itself in the registry. This direct action malware carries out its tasks only one being launched from the compromised attachment. It does however copy its code in the TEMP directory but does not use that duplicate. When activated, the worm will show a fake window with the logo of the Macromedia Flash Player and the message Loading.

The menus displayed in the fake windows displayed by the [email protected] worm do not actually work, save for the Help menu. When users select the Help menu, the option About Macromedia Flash Player message appears and when the message is selected, the malware will display a message box. This message box will contain a vulgar message. The worn program can be used to change the files in the computer. The security settings may be lowered to prevent removal. The infected machine can be instructed to join in a DDoS (Distributed Denial of Service) attack. The computer resources can be used to bring down a remote server or website. The [email protected] worm application can also be instructed to perform certain actions on IRC. This can include joining other channels and sending messages to other users.