[email protected]

Aliases: W32/[email protected], [email protected]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 13 Dec 2004
Damage: Low

Characteristics: [email protected] is a mass-mailing worm. It sends a copy of itself as an attachment to the email addresses that it gathers from the files on a compromised computer. The worm sends an email using random email addresses. The subject of the email is written in Chinese characters.

More details about [email protected]

The mass mailing worm [email protected] copies itself as an attachment in an email. It sends itself to email addresses found on a compromised computer. When executed, the worm creates a copy of itself using the filename Inetdbs.exe. It then adds values to the registry to make sure it runs every Windows start up. It downloads zip files and OCX files from the website domains: tenship.com and freehost23.websamba.com. It then attempts to download a copy of Backdoor.PowerSpider.B from the above domains. It sends a copy of itself in an attachment to email addresses found in the compromised computer. The email uses random email addresses. Its subject and message are written in Chinese characters. The attachment is a ZIP file with a filename written in Chinese characters as well.

The [email protected] application is also capable of making some changes on the web browser’s settings. This includes changing the error page, home page and search page. The user may also be redirected to unsolicited websites when a URL (Uniform Resource Locator) is mistyped. Links may be added inside the Favorites and Bookmarks folder. Clicking on these links may lead the user to websites that are embedded with illicit codes. The changes made by the software may be difficult to revert to its original settings.