Aliases: I-Worm.Delf.a, W32/
[email protected], Win32.HLLM.Shutface.27136, Win32/
[email protected], WORM_SHUTFACE.A
Variants: W32/Delf.HH, I-Worm/Delf.A, Worm Generic, Win32/Keco.G
Classification: Malware
Category: Computer Worm
Status: Active & Spreading
Spreading: Slow
Geographical info: Asia, North and South America, and some parts of Europe and Australia
Removal: Easy
Platform: W32
Discovered: 07 Aug 2006
Damage: Low
Characteristics: [email protected] is a mass mailing worm that multiplies via Yahoo Messenger. It also tries to steal the password of the "Lineage" game.
If you have Malware on your computer it will cause annoyances and will damage your system. You should either:
A. Manually remove the infected files from your computer, or
B. Automatically scan your system using trusted software
RECOMMENDED:
We recommend that you scan your system for malware. Our partner has a computer worm removal tool to automatically clean
[email protected] from your computer.
The
[email protected] spreads by pretending as .exe files on the compromised PC. The pretended executable file has a damaged header that prevents the file from being opened. The original executable file is present in the attached data of the contaminated executable. When the worm is executed, it makes “%Windir%IEXPLORE1.exe”, “%System%fgb2ksudll.dll”, and “%System%up.exe”. To add up, “%Windir%” is a variable that refers to the Win installation folder. By default, it is “C:Windows” or “C:Winnt”. The worm adds the value "load" = "%Windir%IEXPLORE1.exe" to the registry key, so that it’s opened each time the Windows starts. The worm also ends the process of “EGHOST.EXE”, “MAILMON.EXE”, “KAVPFW.EXE”, and “IPARMOR.EXE”.
The worm links to “[http://]www.spr1t3.com/upda[REMOVED]” and verifies the latest version of itself. It tries to download a file from the URL, save it as “%System%up.exe” and run it. The
[email protected] program collects “Lineage” passwords and sends them to addresses at 163.com and nm.com. It also collects email addresses from files w/ txt, html, tml, and doc extensions. It utilizes its SMPT engine to spread itself to email addresses it locates.
[email protected] might show Chinese messages to Yahoo Instant Messenger windows it locates and push a “send”button to send the message. These Chinese message has the “[http://]tw.lineage.org.tw/photo/jpg1[REMOVED]” URL.