[email protected]

Aliases: Shoes, [email protected]
Variants: Win32/Shoes.A

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 01 Jun 2004
Damage: Low

Characteristics: The [email protected] program is a mailing worm that spreads itself to contacts in the address book of Microsoft Outlook. It also changes the Internet Explorer startup page.

More details about [email protected]

When the [email protected] program is opened, it makes duplicates of itself as “%Program Files%CatalougeAdidas Catalouge 2004.exe”, “%System%Adidas.Worm.exe”, and “%Program Files%WindowsUpdatedrivers2.xml.exe”. %ProgramFiles% is a variable that refers to the location of the program files. By default, it is “C:Program Files”. The [email protected] program searches for the system folder and duplicates itself to that same location. Such locations are not dependent on system variables and are hard coded. The worm adds the value "" = "" to the registry key, so that the [email protected] opens when the Windows is started. The worm sends an email to every contact address in the address book of the Microsoft Outlook. The [email protected] program modifies the Internet Explorer startup page to a set Web page.

The program has downloading capabilities. It downloads additional files on the computer. The files are often retrieved by the [email protected] worm application from remote servers on the Internet. The program is often used by other malware applications to download components from the World Wide Web. These malware programs include Remote Access Tools (RATs), keyloggers, monitoring software, worms and adware applications. The additional components downloaded by the application may include rootkit programs and data mining tools.