[email protected]

Aliases: VBS/Pexmor.A, Trojan-Dropper.VBS.Small.l, W32/Licu.worm.dr, VBS/Pegas-A
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 16 Sep 2005
Damage: Medium

Characteristics: [email protected] was first discovered on September 16, 2005. This worm is a mass-mailing worm. This means, it sends a copy of itself as an email attachment using its own SMTP engine. It mostly affects Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about [email protected]

If the worm is executed, W32.Pexmore performs some actions. Like other worms, [email protected] copies itself as MSMSGS.exe, SVCHOST.exe, Winword.exe, LSASS.exe in %Temp%\ and SEXO.pif. in C:\WINDOWS\Drivers. The worm also creates more files in %Temp%\ as OfficeHost.vbs, bailando.vbe, folder.htt and folder.htm. If these files run, a copy of the worm is dropped as C:\[RANDOM].exe. Next, the worm creates sen.bat in the current folder attempting to share the Drivers folder in Drive C:, particularly in the WINDOWS folder. Three more files are created by this worm before it deletes all values under two particular system registry subkeys. After that, the worm adds values to some system registry keys then attempts to send itself as an email attachment using its own SMTP engine. The email has the subject “Curiosidades en la red” and attachment as bailando.vbe. The worm may also copy files, which are mostly in Spanish words, to the root folder in enumerated drives.

The [email protected] software reportedly places its files in either the System folder or the Windows directory. The components are saved using misleading file names. These may mimic those of legitimate processes. Random characters may also be used. This prevents detection. The Trojan program adds the files to the system registry. This allows the application to run at system startup. A specific server location is hard-coded into the program. This may be a web or FTP site. The exact URL may vary to prevent detection. Once the installation is complete, the application connects to the remote server and downloads files. The files may be stored in the same location as the components. They may also be placed in other hidden subfolders.