[email protected]

Aliases: Email-Worm.VBS.Saros.a, Generic.ScriptWorm.6C510160, VBS/[email protected]
Variants: VBS_SAROS.A, W32/Saros-A, Worm/Saros.A.1

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 02 Aug 2004
Damage: Low

Characteristics: W32/[email protected] is a worm that spreads through email, file-sharing networks and MIRC.The virus affects Windows Operating System platforms such as Windows 2000, Windows 95, Windows 98, Windows Me, Windows NT, Windows Server 2003, and Windows XP.

More details about [email protected]

When [email protected] is run, it attempts to create the file, \WINDOWS\system32\About.hta, which is a harmless HTML file, this file is actually a copy of itself. It also creates and runs a VBScript file that creates registry keys, archive file (which contains the copy of the worm), and sends an email to all the entries in the Microsoft Outlook Address Book. The email comes with “Microsoft Outlook News” as its Subject, a message saying “Microsoft Outlook Update / Bug Fixed - Contact: -----.com” and an attachment named MSOutlookInternetUpdate.exe. This application also places a copy of itself in the Windows directory. This executable file may use a variety of file names. This prevents it from being detected immediately. The software also adds its process to the startup registry key.

The program runs automatically once its download and installation procedure is completed. The presence of the [email protected] application may result to a slower response of the computer. It may also reduce Internet connection speed of the system. The files utilized by the [email protected] application are located on the Windows system folder. The program registers its main file as a service process named ActiveX. This allows the application to execute automatically every time the computer boots up.