[email protected]

Aliases: PWS-Banker.gen.q, Trojan.PWS.Banker.1076, TSPY_DELF.IF, TR/Dldr.Dadobra.HC, Win32:Dadobra-DX,
Variants: Downloader.Generic.DBT, Trojan.Downloader.Dadobra.HC, Win32/TrojanDownloader.Dadobra.HC

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: South America
Removal: Hard
Platform: W32
Discovered: 23 Aug 2005
Damage: Medium

Characteristics: The [email protected] is a mailing worm that propagates making use of MS Outlook and gets a Trojan Horse.

More details about [email protected]

When the [email protected] worm is opened, it executes a file that drops “C:\Windows\system32\accwizz.exe” and “C:\Windows\system32\accwizzz.exe”. “C:\Windows\system32\accwizz.exe” is a Trojan horse that reaches an IRC for instructions making use of TCP port 6667. “C:\Windows\system32\accwizzz.exe” is a Trojan horse that sends out email banking passwords. This worm adds value to the registry key so that it opens each time the Windows starts. This worm utilizes MS Outlook to spread a duplicate of itself to all email addresses collected from the address book of MS Outlook. The body of the message is an HTML page that comes from “radio.terra.com.br”.

After creating copies of itself, the [email protected] program creates a folder inside the Shared folder on P2P programs. This is to propagate itself to other computers. The system may slow down due to the worm program’s activities on the affected system. Apart from spreading from computer to computer, the [email protected] program also opens a backdoor on the affected computer. This is to allow remote users to access the computer and gain partial control of the affected system. The remote user may acts as the system’s administrator and carries out unwanted activities on the user’s machine.