[email protected]

Aliases: I-Worm.Shatrix, W32/[email protected], Win32.HLLM.Shake, W32/Shatrix-A, Win32/Shatrix.A
Variants: WORM_SHATRIX.A, Worm/Shatrix, W32/[email protected], Win32:Shatrix, I-Worm/Shatrix

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 04 Jan 2002
Damage: Medium

Characteristics: [email protected] is a worm that is written in Delphi language. It multiplies by sending itself to contacts in the address book of Microsoft Outlook, and across network drives. The payload tries to remove .exe files and change them with itself.

More details about [email protected]

The W32/Shatrix-A program is an email class of worm. It multiplies as an email attachment. The W32/Shatrix program is an attachment named “Shake.exe”. This worm sends a duplicate of itself to the directory of Windows system making use of a random eight character named “XXXXXXXX.exe” and makes a registry key run to load itself. The worm tries to send itself to all the addresses found in the address book of Microsoft Outlook. The worm looks for HTM, HTML, and ASP files in the “C:\INETPUB\WWWROOT” directory. If these files are located, they are modified to include the some messages. The worm will erase “C:\*.EXE” files as well.

The [email protected] can be eliminated from the computer system manually. To do this, click the “start” menu, and then go to “Run” (the Run box shows). Type “regedit” and then press the “OK” button (the registry editor shows). You must remove the [email protected] worm, eliminate files that are detected as “[email protected]”, eliminate the value that this worm added to the registry key, delete or change the file “T_672b.ttm” and the “MatriX” folder, if it is located. After you have finished that, close the registry editor.