[email protected]

Variants: [email protected], [email protected], [email protected], [email protected], [email protected]

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 16 Feb 2004
Damage: Low

Characteristics: [email protected] is part of the family of mass-mailing worms which uses its own SMTP engine to send itself to the email addresses. Like other worms, it also browses all the hard drives and mapped drives. This worm also finds drives “C” through “Z” for the folder names having "Share" or "Sharing," and then copies itself to those folders. The sender or “from” details as well as its attachments may have different formats.

More details about [email protected]

It also retrieves email addresses from the files with the following file extensions: .msg, .oft, .sht, .dbx, .tbb, .adb, .doc, .wab, .asp, .uin, .rtf, .vbs, .html, .htm, .pl, .php, .txt and .eml. Reports also say that there are several bugs in the code; this code commands the worm to search a file for email addresses if the extension is a sub-string of one of the aforementioned extensions. It affects all windows platforms. File creation and duplication is another characteristic of this worm. It also creates a mutex known as “AdmMoodownJKIS003” so that the worm will only run at one instance. Windows directory folders are also modified for it is continuously added by a copy of the worm named as “Services.exe”.

It is a program with concealed malicious behavior that can raise serious security concerns to the user’s computer. Reports from the field claim the worm’s primary attribute is its ability to create an access that allows another party to remotely control or influence the user’s computer. The program usually opens a TCP port and sends a modified URL or email message to the hacker. The port opened by the [email protected] program is then used by the hacker to access the computer. Once the hacker had gained access over the computer, the hacker can now perform a number of actions to the computer, unknown and without the consent of the user. The hacker can remotely modify files, remove files, run programs and even shutdown or reboot the computer.