Aliases: I-Worm.Shiba, W32/Shiba, Win32.HLLM.Shiba, W32/Shiba-A, Win32/Shiba.A
Variants: WORM_SHIBA.A, Worm/Shiba, I-Worm/Shiba, [email protected], W32/Shiba

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 04 Jun 2002
Damage: Low

Characteristics: The W32.Shiba.Worm application is a mailing worm that sends itself to email addresses it locates in files with the “.?bx” extension.

More details about W32.Shiba.Worm

When the W32.Shiba.Worm program is open, this worm copies itself as “C:WindowsAll Users++¦- -¦¡¦¦¯¦+¦+-++¦-¦»¦¯Start.doc.pif”, “C:Letter.doc.pif”, “C:MyDocumentsLetter.doc.pif”, “C:Windowsé+é¦éó.scr”, and “C:Windows+¦++-»¦¯âGâNâXâvâìü[âë.pif”. Then, the W32.Shiba.Worm program searches for the windows folder in the drive C and its root folders files that has the “.?bx” extension. The W32.Shiba.Worm program parses these files and extracts the email addresses from them. It chooses addresses which end in “.net”, “.com”, or “.jp” and which don’t begin with a number or has the string “mag2”. These email addresses are held for future use in the mass mailing routine. Then, the W32.Shiba.Worm program looks for “.xls” and “.doc” files in all folders on all drives in the PC. If the worm looks for these files, it tries to erase them and make a duplicate of itself in the similar location making use of the 2 extensions “.xls.pif” and “.doc.pif”

If this worm finds any targeted email addresses making use of the process, or under special system situations that the maker of the worm planned for debugging reasons, the worm then automatically mails itself. The email message has the subject “Hello,Shibatsu” and message (Japanese character of the mail text isn’t displayed correctly and Japanese details are sent as an attached file) and has an attachment “letter.doc.pif”. After the W32.Shiba.Worm program sends itself, it immediately utilizes Notepad run and closes the file that has a list of email addresses it gathered from the system.