Win32.Mugly.J [Computer Associ, Email-Worm.Win32.Wurmark.i [Ka, W32/[email protected]
[McAfee], W32/Wurmark-I [Sophos]
Category: Computer Worm
Active & Spreading
Some parts of Asia, Europe, North and South America, Africa and Australia
14 Apr 2005
Characteristics: [email protected]
was discovered on April 14, 2005. This is a type of worm that produces copies of itself then sends them to instant messenger contacts and drops a copy of a W32.Spybot.Worm variant. This worm mostly affects Windows operating systems, namely Windows 2000, 95, 98, Me, NT, Server 2003 and XP.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean [email protected]
from your computer.
Once [email protected]
is executed, it opens www.[domain removed].com/forums/LOL-AlbinoGorrilla.jpg in the default browser and drops several files under the %SystemDrive% and %System%\ folders. Then, the worm creates system registry keys using the installation of ANSMTP.DLL. It also gathers email addresses from the Yahoo! and MSN messenger contact lists to send itself as an email attachment. Once the file attachment is opened, the file bx.exe is executed. This file is a copy of a W32.Spybot.Worm variant as wini.exe under %System%. Afterwards, the worm adds and modifies some values to the system registry subkeys then contacts an IRC server at paris-hack.om:8080 for instructions to be commanded by an attacker.
The [email protected]
application opens a backdoor on the user’s machine. The backdoor can be used by remote intruders to gain access to the user’s computer and act as the system’s administrator. The backdoor can also be used as an entrance by other malware programs. The application listens for commands from the remote user through an open port. The tasks sent by the remote intruder are carried out stealthily. The [email protected]
application possibly disables the security applications on the affected machine. This makes the system more vulnerable in acquiring threats. Users may also notice that the computer shuts down and restarts by itself constantly. This possibly results in system crash.