[email protected]

Aliases: Email-Worm.Win32.Salga.a, W32/[email protected][email protected], Win32.HLLW.Generic.95, W32/Salga-A
Variants: W32/[email protected], I-Worm/Salga.A, [email protected], Worm.Salga.A, W32/Salga.A.worm

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 27 Nov 2004
Damage: Medium

Characteristics: [email protected] propagates through the Internet as an attachment to infected messages. It also propagates via file sharing networks, IRC channels and open network resources. It sends a copy of itself to all email addresses found on the computer.

More details about [email protected]

There are two more ways on how [email protected] propagates. First, in propagation via local and file-sharing networks, the worm creates copies of itself in all subdirectories on hard disks if the name of the subdirectory contains the word 'share'. These copies are stored in My Shared Folder, which it created earlier upon installation. It also copies itself to network resources that may be hidden. Second is the propagation via IRC. Through this, the worm rewrites the mIRC\script.ini and mIRC32\script.ini files in the program files. This enables it to send copies of itself to IRC users in the same channel as the victim machine. The copy is named “Britny spears marriage with Bnladen son.zip.exe”

The program creates and maintains an unauthorized network connection between remote systems and the user’s computer. The opening created by the [email protected] application allows remote users to issue commands to the computer. The remote instructions may prompt the computer to download files from the Internet, terminate running processes, delete files and restart the system. The remote user may send the commands to the computer via Hypertext Transfer Protocol (HTTP).