[email protected]

Aliases: I-Worm.PonyExpress, W32/Pony.worm.a, Win32.HLLW.Hoaxley.40960, W32/PonyExpr-A, Win32/[email protected]
Variants: WORM_PNYXPRESS.A, Worm/PonyExpress, Win32:PonyExpress, I-Worm/PonyExpress, [email protected],

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 21 Sep 2001
Damage: Low

Characteristics: The [email protected] worm is a mass mailing worm that utilizes MS Outlook to spread itself to all the contacts in the address book of MS Outlook.

More details about [email protected]

The [email protected] worm spreads its replicates on computers connected to the network. It also provides unauthorized access on the user’s computer. This feature is enabled by the backdoor functionality of the program. A remote user may issue commands on the computer by utilizing the opening created by the application. The remote commands are sent to the computer through an Internet Relay Chat (IRC) channel. An unauthorized user may perform several remote actions through the ports opened by the program. These remote activities include managing the installation of the application, viewing system information, transmitting the program to other IRC users and creating IRC accounts. The remote user may also disable firewalls and security programs on the computer.

The [email protected] application may also execute programs the remote user sends. The remote hacker usually sends a Remote Administration Tool (RAT) and rootkit tool. The Remote Administration Tool (RAT) may allow the remote hacker to gain full control of the computer. It may download, upload, rename and delete files. The program may hide its presence in the computer. The application may terminate security programs such as anti-malware applications and personal firewalls. The [email protected] program may also use a rootkit tool to hide its movements. The rootkit tool may also change the file names of core components of the program. This tricks the user in to believing that the files are a legitimate Windows file.