[email protected]

Aliases: W32/Recory, I-Worm/Recory, WORM_RECORY, W32/[email protected], Recory Internet Worm
Variants: [email protected]

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 31 Dec 2002
Damage: Low

Characteristics: [email protected] is a mass-mailing worm. It is written in Visual Basic. For it to execute, the Visual Basic run-time libraries have to be installed on the computer. It uses Microsoft Outlook to spread itself to all the contacts in the Windows Address Book. It also spreads via a file-sharing network.

More details about [email protected]

The email that the worm [email protected] sends has a randomly chosen subject and attachment. The attachment will have an extension of .com, .exe or .pif. When [email protected] is executed, it copies itself into the system using various filenames. It also modifies the registry to make sure it runs every time Windows starts. The worm searches the computer for specific files. If the file RecoveryWorm32.scr is not found, the system date is January 16th, March 16th, May 16th, July 16th, September 16th, or November 16th. If the following files are found: Msdos32.pif, TaskBoot.com, Autoexec32.bat, or Autotest.com, the worm displays a message, The message has a title that reads: “W32/Recovery family worm by...”. The body of the message reads: It seems to me that your computer is in need of urgent recovery.

[email protected] uses Microsoft Outlook to email itself to all the contacts in the Windows Address Book. The email message uses different subjects and attachments. Pop-up advertisements can be displayed by the [email protected] program in the infected system whenever it is connected to the Internet. A keylogger function may be used to capture the data as it is being typed. The browsing habits may also be recorded and sent to a remote server as market research.