[email protected]

Aliases: I-Worm.Byzer.b, W32/Ronoper.worm.p, Win32.HLLW.Ronop.10, W32/Byzer-B, Win32/[email protected],
Variants: WORM_BYZER.B, Worm/Byzer.B.2, W32/Byzer.B, Win32:Byzer-B, I-Worm/Byzer.B,

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Hard
Platform: W32
Discovered: 10 Jun 2003
Damage: Medium

Characteristics: The [email protected] is a mass mailing worm that tries to propagate itself through mIRC, email, and across file sharing networks.

More details about [email protected]

When the [email protected] worm is executed, it duplicates itself to the folder of “%Windir” as “Systools.exe” and “Melda.scr”. The worm creates and overwrites registry keys and values. It disables programs by ending the active processes and active services. The worm terminates the processes: “_Avpcc.exe”, “_avpm.exe”, “Ackwin32.exe”, “Anti-trojan.exe”, “Apvxdwin.exe”, “Autodown.exe”, “Avconsol.exe”, “Ave32.exe”, “Avgctrl.exe”, “Avkserv.exe”, “Avnt.exe”, “Avp.exe”, “Avp32.exe”, “Avpcc.exe”, “Avpdos32.exe”, “Avpm.exe”, “Avptc32.exe”, “Avpupd.exe”, “Avsched32.exe”, “Avwin95.exe”, “Avwupd32.exe”, “Blackd.exe”, “Blackice.exe”, “Cfiadmin.exe”, “Cfiaudit.exe”, “Cfinet.exe”, “Cfinet32.exe”, “Claw95.exe”, “Claw95cf.exe”, “Cleaner.exe”, “Cleaner3.exe”, “Dvp95.exe”, “Dvp95_0.exe”, “Ecengine.exe”, “Esafe.exe”, “Espwatch.exe”, and “F-agnt95.exe”. The worm utilizes MAPI to mail itself to all the contacts in the address book of Windows. It duplicates itself to the download folder of KaZaa as “Systools.exe”, “Windows XP Key Generator.exe”, “Windows XP Keygen.exe”, “Hotmail Hack.exe”, “Icq Hack.exe”, “PornStar in Hardcore Action.scr”, and “Penis Enlargement Secrets.scr”.

The [email protected] worm can also be used by the remote user to start servers such as File Transfer Protocol (FTP) server, proxy server or Web server. The program may also facilitate the computer’s participation to Distributed Denial of Service (DDoS) attacks. A DDoS attack saturates the system with numerous requests to the point that the computer stops responding to other incoming traffic. Other remote actions made possible by the [email protected] worm include logging keystrokes, capturing screen images, packet sniffing, port scanning, starting remote shells and downloading arbitrary files. Failure to remove the [email protected] worm and its variants from the system may result to bigger damage.