[email protected]

Aliases: I-Worm.Serab.c, W32/Serab.worm.gen, W32/Serab-C, Win32/[email protected],
Variants: WORM_SERAB.C, W32/Serab.C, Win32:Serab-B, I-Worm/Serab.C, [email protected],

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Moderate
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 06 Oct 2003
Damage: Medium

Characteristics: This worm is a threat classified as a Mass Mailer. A mass mailing worm is an independent malicious code that multiplies by sending itself by the use of email.

More details about [email protected]

The [email protected] program copies itself to the hard disk and modifies the registry to ensure that it loads automatically every time the computer boots up. It then harvests e-mail addresses from the hard disk. It automatically sends itself through e-mail by directly connecting to the recipient's Simple Mail Transfer Protocol (SMTP) server. When the [email protected] program executes, it copies itself to “WindowsWinpof.exe” in the drive C. Then the worm virus crashes the “WindowsSera.vbs” at drive C and then opens it. After that, this script mass mails itself to all the contacts in MS Outlook. The email has a subject “Wow! It Should be seen!” and a message body “Hi dead friend. Press the attached file!” with the “windowswinpof.exe” in drive C attachment. The [email protected] program may exploit the security flaws of the computer. It may particularly disable antivirus and firewall applications. It hides its own processes, files and registry changes using a kernel-mode rootkit. It may also install backdoor applications in the infected computer. These backdoor applications may be used by other worm programs to gain entry in the computer system.

The program drops additional files into the user’s computer. The [email protected] application is often utilized by other malware programs to retrieve components from online sources. These components may include rootkit tools and data mining applications. The files dropped by the program are utilized by malware applications such as Remote Access Tools (RATs), keyloggers, monitoring software, adware programs and worms. The [email protected] program uses a backdoor application to communicate with remote servers on the Internet.