[email protected]

Aliases: W32/[email protected]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Dormant
Spreading: Slow
Geographical info: Europe, North and South America, and some parts of Asia and Australia
Removal: Easy
Platform: W32
Discovered: 16 Aug 2004
Damage: Medium

Characteristics: [email protected] is a member of mass-mailing worm that terminates attacks on various Web design Web sites such as www.hvr-systems.cc, www.real-creative.de, www.2rebrand.com, www.designload.com, www.designgalaxy.net, www.procartoonz.com, and www.designload.net. It affects certain Windows Operating System such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT and Windows XP. It also duplicates through email, using its own SMTP engine while also spreading through shared folders.

More details about [email protected]

Sometimes, it changes the boot sector and it could result to the inability of the computer to run. The files it usually sends are named as either one of these files: office.exe, notes.exe, doom3demo.exe, resume.exe, files.exe, request.exe, info.exe, details.exe. result.exe, results.exe, install.exe, setup.exe, test.exe, google.exe and se_files.exe. Once executed, it creates a mutex named “4D36E64A-W325-121E-BFC1-080C2BE11318". This is created so that only one instance of the worm is running in the computer. Another replicate of itself is also known as “winlogon.exe”. This worm may also be destructive for it removes automatically services such as: kavsvc, SAVScan, Symantec Core LC, navapsvc, and wuauserv.

When the [email protected] program is installed, it modifies the system registry by adding new registry keys and registry values. It also adds a registry value to one of the registry keys to allow the program to automatically run whenever the user reboots the system. Security experts claim that the [email protected] program is malware because of the unauthorized and unwanted changes it creates to the affected computer. The program is responsible for the loss of personally identifiable information (PII) in favor of the hacker which the latter can make use to the disadvantage of the user. The program also downloads and executes unauthorized codes and allows the performance of Denial of Service (DOS) attacks.