[email protected]

Aliases: [email protected], Worm.W32/[email protected], W32/Refoav, Refoav
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 07 Apr 2003
Damage: Low

Characteristics: [email protected] is a mass-mailing worm. It infects Windows systems. It uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Book. It is a slow infector. It causes low damage on an infected computer. The threat can be removed easily using an updated antivirus program.

More details about [email protected]

[email protected] is a worm written in the Microsoft Visual Basic programming language. It is a mass-mailing worm. The subject of the email it sends reads: No esta registrado el usuario. The email has an attachment file named FOAVRE.exe. When [email protected] runs, it copies itself as C:\FOAVRE.exe. The attributes of the file are set to Hidden and Archive. It also creates the files: Vbseli.vbs and Datospc.dat in Drive C. These files are set to Hidden and Archive. Teh worm also modifies the registry to make sure that it runs every time that Windows is started. It uses Microsoft Outlook to send itself to all the contacts in the Outlook Address Books. When the file vbseli.vbs runs, it displays five messages. It also removes the value that the worm adds in the registry and deletes the files: FOAVRE.exe and Vbseli.vbs.

The [email protected] program places a copy of itself in the system. This is commonly an executable file placed in the System or Windows folder. The file name used may be similar to those of legitimate processes. This is to prevent detection and removal. The process is also added to the system registry. This makes sure the application runs once the system starts. The [email protected] application connects to a remote server. This server is commonly hard-coded in the program. It may be specified using a web or IP address. The backdoor software then waits for commands to execute in the infected system.