[email protected]

Aliases: W32/[email protected], WORM_LOVELORN.A, Win32.Lovelorn.A, I-Worm.Lovelorn, W32/Cailont-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 28 Apr 2003
Damage: Low

Characteristics: [email protected] is a part of the family of mass-mailing worm that makes use of its SMTP engine to propagate itself. It attacks all Windows Operating Systems. This worm is believed to be written in the Borland C++ programming language. The email will have several subject lines but contains these two attachments with the filename: “.Kiss.ok.exe” or “.htm.”

More details about [email protected]

The email messages maybe, “Re:baby!your friend send this file to you !”,” : HELP??-“, “:Get Password mail...”,” There're some Passwords here”,” Re:Binladen_Sexy.jpg”, “ Re”,” The Sexy story and 4 sexy picture of BINLADEN !”,” Re:I Love You...OKE!”,” A Greeting-card for you .”,” Re:Kiss you..^@^”,” Guide to ...”,” Re:Baby! 2000USD,Win this game...” and “Help.” While the messages contain the following, “Read this file”,” Help...”,” Enjoy “,”Read File attach .”,” run File Attach to extract:BinladenSexy.jpg...”,” Enjoy! BINLADEN:SEXY..”,” Souvenir for you from file attach...”,” See the Greeting-card”,” Read file attach “,”I like Sexy with you.”,” Play the game from file attach” and “Help.” Aside from email propagation, it also copies itself to windows system folders as: “Explorer.exe,”Kernel32.exe,”Netdll.dll” and “Serscg.dll.” This is also a file infector that encrypts the host file, and then patches itself to the host file. As such, it is always a good practice when you are using a firewall to block all incoming connections from the Internet to services that should not be publicly available.

Some authors categorized the [email protected] program as a high risk program because it could severely affect system security. It could open illegal network connections and self-mutate through polymorphic strategies. It could possibly change system files. The [email protected] program could also collect and send personal information. This program is commonly not visible in the log of active programs. It is installed without getting the user’s permission. Neither, does it present an End-User License Agreement (EULA).