[email protected]

Aliases: Email-Worm.Win32.generic
Variants: [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 10 Jul 2005
Damage: Medium

Characteristics: [email protected] is a mass-mailing worm. It spreads using Microsoft Outlook and America Online user interface. It lowers security settings by ending security-related processes and by disabling several Windows security features. It infects Windows systems. It is a slow infector but does medium damage to an infected computer.

More details about [email protected]

When the worm [email protected] is executed, it copies itself as updater32.exe. It then modifies the registry to make sure it runs every time Windows starts. It also disables notification of firewall status through the Windows Security Center. It disables automatic Windows Updates. It disables access to the Windows Task Manager and registry editing tools. It then sends an email to all email addresses it finds in the Microsoft Windows Outlook addess book using Microsoft Outlook. It sends an email that has a file named SP2UPDATE.EXE attached to it. The subject of the email reads: “Fwd: Micorsoft SP2 Update”. The message of the email reads: “Microsoft SP2 Update Download It”. It also sends a message to other AOL users on the infected computer using the America Online interface.

The worm [email protected] also creates and runs the file killer.bat. This batch script ends various processes. Some of these processes are security related. The [email protected] software downloads unsolicited files and programs from a remote server. These files may consist of adware and spyware programs, worms and other viruses that add to the system’s vulnerability. The additional components take up most of the infected system’s local disk space.