[email protected]

Aliases: W32/Rexli.vbs, W32/[email protected]
Variants: N/A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: North America
Removal: Easy
Platform: W32
Discovered: 06 Feb 2002
Damage: Medium

Characteristics: [email protected] is a mass-mailing worm that infects Windows systems. It is written in Visual Basic. When executed, the worm emails all contacts in the Microsoft Outlook address book. If mIRC is found, the worm modifies the Script.ini. This causes an infected user to send the worm to other people over the IRC network.

More details about [email protected]

This worm [email protected] arrives as an email attachment or via Internet Relay Chat. The worm is detected as New Backdoor with the 4140 DATs. When scanning with program heuristics enabled, the threat is detected as New Worm. This is a mass-mailing worm and can also spread through IRC. After it has executed 100 times, it deletes critical system files. It arrives in an email message. With an attachment: LINKI.EXE. The computer gets infected when the attachment is executed. Afterwards, false error message is displayed: Error while loading REXLI.EXE. The first time the worm is run, it creates a registry key to tracking itself. It copies itself as REXEC.EXE to the WINDOWS SYSTEM directory. The files LINKI.EXE and a WIN.INI entry is created to load the worm every Windows start up.

When the worm is again executed, it makes an attempt to send itself to addresses found in the Microsoft Outlook Address book. The worm only attempts to mail itself the second time it is executed. There is a possible infection when the following files are detected: REXEC.EXE, LINKI.EXE, rbatC.bat, and RAPP.EXE. The [email protected] program may also download other malware programs. These may be adware, spyware, and Trojan applications. They are installed and executed to run in the background. The software may also be added to the system registry to run at system startup. Infected computers run slower than usual. The resources are used by the malware program and the downloaded files. The constant download of files consumes most of the system’s Internet bandwidth. RAM and available space are also significantly decreased.