[email protected]

Aliases: Win32.Mugly.J [Computer Associ, Email-Worm.Win32.Wurmark.i [Ka, W32/[email protected] [McAfee], W32/Wurmark-I [Sophos]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Some parts of Asia, Europe, North and South America, Africa and Australia
Removal: Easy
Platform: W32
Discovered: 14 Apr 2005
Damage: Medium

Characteristics: [email protected] was discovered on April 14, 2005. This is a type of worm that produces copies of itself then sends them to instant messenger contacts and drops a copy of a W32.Spybot.Worm variant. This worm mostly affects Windows operating systems, namely Windows 2000, 95, 98, Me, NT, Server 2003 and XP.

More details about [email protected]

Once [email protected] is executed, it opens www.[domain removed].com/forums/LOL-AlbinoGorrilla.jpg in the default browser and drops several files under the %SystemDrive% and %System%\ folders. Then, the worm creates system registry keys using the installation of ANSMTP.DLL. It also gathers email addresses from the Yahoo! and MSN messenger contact lists to send itself as an email attachment. Once the file attachment is opened, the file bx.exe is executed. This file is a copy of a W32.Spybot.Worm variant as wini.exe under %System%. Afterwards, the worm adds and modifies some values to the system registry subkeys then contacts an IRC server at paris-hack.om:8080 for instructions to be commanded by an attacker.

The [email protected] application opens a backdoor on the user’s machine. The backdoor can be used by remote intruders to gain access to the user’s computer and act as the system’s administrator. The backdoor can also be used as an entrance by other malware programs. The application listens for commands from the remote user through an open port. The tasks sent by the remote intruder are carried out stealthily. The [email protected] application possibly disables the security applications on the affected machine. This makes the system more vulnerable in acquiring threats. Users may also notice that the computer shuts down and restarts by itself constantly. This possibly results in system crash.