[email protected]


Aliases: I-Worm.Welyah.a, W32/[email protected], Win32.HLLM.Shoho, W32/Shoho-Fam, Win32/[email protected]
Variants: WORM_SHOHO.C, Worm/WelYah, W32/[email protected], Win32:Shoho, I-Worm/Shoho

Classification: Malware
Category: Computer Worm

Status: Active & Spreading
Spreading: Fast
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 20 Dec 2001
Damage: Low

Characteristics: The [email protected] program is a mass-mailing worm that is written in the Visual Basic language. This worm also utilizes the IFRAME vulnerability that enables Microsoft Outlook to open the attachment automatically.

More details about [email protected]

When the [email protected] program is opened, it duplicates itself to the WindowsSystem and Windows folder as “Winl0g0n.exe”. Just for an additional information, the filename has (0) zeros, not the letter “O”. The worm then adds the value “. It then adds the value “WINL0G0N C:windowsWINL0G0N.EXE” to the registry key. This will cause the [email protected] program to be opened every time you open windows. The [email protected] program then makes the file “Email.txt” in the similar folder as the worm. The Mime Base64 encoded version of the worm is “Email.txt”. The worm virus will utilize this file to send itself. The [email protected] program also makes the file “Emailinfo.txt” in the similar location. This file is utilized to save email addresses that the [email protected] program finds on your PC.

The [email protected] searches your PC for email addresses in files that have “.mbx”, “.wab”, “.mbx”, “.eml”, “.xlt”, “.xls”, and “.mdb” extensions, and puts them to the “Emailinfo.txt” file. It then utilizes its SMTP engine to spread itself to those email addresses. The [email protected] program has these features: Subject “Welcome to Yahoo Mail!, Attachment “Readme.txt.pif”. Take note that there could be a lot of blank spaces between “.pif” and “.txt” file extensions. This is made to trick you into believing that the [email protected] program is just a .txt file, when it’s actually an executable .pif file. The [email protected] program utilizes the IFRAME that enables MS Outlook open the attachment automatically.